Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php)

This commit is contained in:
Gregory Soutade 2015-12-04 17:02:31 +01:00
parent cc66b612ef
commit 6604fbb6e1
2 changed files with 49 additions and 4 deletions

View File

@ -1,6 +1,6 @@
<?php <?php
/* /*
Copyright (C) 2013-2014 Grégory Soutadé Copyright (C) 2013-2015 Grégory Soutadé
This file is part of gPass. This file is part of gPass.
@ -22,14 +22,40 @@ include("conf.php");
function load_database() function load_database()
{ {
global $REQUESTS_MIN_DELAY;
try { try {
$db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY); $db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READWRITE);
} }
catch(Exception $e) catch(Exception $e)
{ {
die("<b>Unable to load database for user $user !</b><br/>"); die("<b>Unable to load database for user $user !</b><br/>");
return null; return null;
} }
list($usec, $sec) = explode(" ", microtime());
$usec = $usec + $sec*1000;
try {
$last_time = $db->querySingle("SELECT last_access_time FROM conf");
if ($last_time <= $usec &&
($usec - $last_time) < $REQUESTS_MIN_DELAY)
{
// Brute force ??
$db->close();
return null;
}
$db->query("UPDATE conf SET last_access_time=$usec");
$db->close();
$db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
}
catch(Exception $e)
{
$db->close();
die("<b>Unable to load database for user $user !</b><br/>");
return null;
}
return $db; return $db;
} }
@ -45,7 +71,7 @@ echo "protocol=gpass-$PROTOCOL_VERSION\n";
if ($PKDBF2_LEVEL != 1000) if ($PKDBF2_LEVEL != 1000)
echo "pkdbf2_level=$PKDBF2_LEVEL\n"; echo "pkdbf2_level=$PKDBF2_LEVEL\n";
for ($i=0; isset($_POST["k$i"]); $i++) for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
{ {
$statement->bindValue(":login", addslashes($_POST["k$i"])); $statement->bindValue(":login", addslashes($_POST["k$i"]));
$result = $statement->execute(); $result = $statement->execute();

View File

@ -1,6 +1,6 @@
<?php <?php
/* /*
Copyright (C) 2013-2014 Grégory Soutadé Copyright (C) 2013-2015 Grégory Soutadé
This file is part of gPass. This file is part of gPass.
@ -60,4 +60,23 @@ $PKDBF2_LEVEL=1000;
standard crypto API will be stable it will be enabled by default. standard crypto API will be stable it will be enabled by default.
*/ */
$USE_SHADOW_LOGINS=0; $USE_SHADOW_LOGINS=0;
/*
Protection against DDoS.
Each request can contains multiple password combination
(to support wildcards for example) and multiple names.
Currently only two passwords are sent from addon :
www.example.com
*.example.com
But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
For maximum security, you can set it to 2.
*/
$MAX_PASSWORDS_PER_REQUEST=10;
/*
Protection against brute force.
Minimum delay (in milliseconds) between two requests.
*/
$REQUESTS_MIN_DELAY=1000;
?> ?>