Inicio Explorar Axuda
Iniciar sesión
RISCI_ATOM
/
nextcloud-server
réplica de https://github.com/nextcloud/server.git
1
0
Fork 0
Ficheiros Incidencias 23 Wiki
Explorar o código

Merge pull request #43889 from nextcloud/backport/43599/stable25

[stable25] fix: Add bruteforce protection to email endpoint
John Molakvoæ hai 3 meses
pai
0423137145 f02be80793
achega
68f4d89292
Modificáronse 1 ficheiros con 15 adicións e 6 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 15 6
      apps/provisioning_api/lib/Controller/VerificationController.php

+ 15 - 6
apps/provisioning_api/lib/Controller/VerificationController.php
Ver ficheiro 

@@ -77,7 +77,7 @@ class VerificationController extends Controller {
 
 	 * @NoAdminRequired
 
 	 * @NoSubAdminRequired
 
 	 */
 
-	public function showVerifyMail(string $token, string $userId, string $key) {
 
+	public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse {
 
 		if ($this->userSession->getUser()->getUID() !== $userId) {
 
 			// not a public page, hence getUser() must return an IUser
 
 			throw new InvalidArgumentException('Logged in user is not mail address owner');
 
@@ -95,8 +95,10 @@ class VerificationController extends Controller {
 
 	/**
 
 	 * @NoAdminRequired
 
 	 * @NoSubAdminRequired
 
+	 * @BruteForceProtection(action=emailVerification)
 
 	 */
 
-	public function verifyMail(string $token, string $userId, string $key) {
 
+	public function verifyMail(string $token, string $userId, string $key): TemplateResponse {
 
+		$throttle = false;
 
 		try {
 
 			if ($this->userSession->getUser()->getUID() !== $userId) {
 
 				throw new InvalidArgumentException('Logged in user is not mail address owner');
 
@@ -118,9 +120,12 @@ class VerificationController extends Controller {
 
 			$this->accountManager->updateAccount($userAccount);
 
 			$this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
 
 		} catch (InvalidTokenException $e) {
 
-			$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
 
-				? $this->l10n->t('Could not verify mail because the token is expired.')
 
-				: $this->l10n->t('Could not verify mail because the token is invalid.');
 
+			if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) {
 
+				$error = $this->l10n->t('Could not verify mail because the token is expired.');
 
+			} else {
 
+				$throttle = true;
 
+				$error = $this->l10n->t('Could not verify mail because the token is invalid.');
 
+			}
 
 		} catch (InvalidArgumentException $e) {
 
 			$error = $e->getMessage();
 
 		} catch (\Exception $e) {
 
@@ -128,10 +133,14 @@ class VerificationController extends Controller {
 
 		}
 
 
 		if (isset($error)) {
 
-			return new TemplateResponse(
 
+			$response = new TemplateResponse(
 
 				'core', 'error', [
 
 					'errors' => [['error' => $error]]
 
 				], TemplateResponse::RENDER_AS_GUEST);
 
+			if ($throttle) {
 
+				$response->throttle();
 
+			}
 
+			return $response;
 
 		}
 
 
 		return new TemplateResponse(