зеркало из https://github.com/nextcloud/server.git
fix(lostpassword): Also rate limit the setPassword endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Родитель
e18f97fc95
Коммит
7ee81b6555
|
@ -201,7 +201,7 @@ class LostController extends Controller {
|
|||
}
|
||||
|
||||
$user = trim($user);
|
||||
|
||||
|
||||
\OCP\Util::emitHook(
|
||||
'\OCA\Files_Sharing\API\Server2Server',
|
||||
'preLoginNameUsedAsUserName',
|
||||
|
@ -225,8 +225,10 @@ class LostController extends Controller {
|
|||
|
||||
/**
|
||||
* @PublicPage
|
||||
* @BruteForceProtection(action=passwordResetEmail)
|
||||
* @AnonRateThrottle(limit=10, period=300)
|
||||
*/
|
||||
public function setPassword(string $token, string $userId, string $password, bool $proceed): array {
|
||||
public function setPassword(string $token, string $userId, string $password, bool $proceed): JSONResponse {
|
||||
if ($this->encryptionManager->isEnabled() && !$proceed) {
|
||||
$encryptionModules = $this->encryptionManager->getEncryptionModules();
|
||||
foreach ($encryptionModules as $module) {
|
||||
|
@ -234,7 +236,7 @@ class LostController extends Controller {
|
|||
$instance = call_user_func($module['callback']);
|
||||
// this way we can find out whether per-user keys are used or a system wide encryption key
|
||||
if ($instance->needDetailedAccessList()) {
|
||||
return $this->error('', ['encryption' => true]);
|
||||
return new JSONResponse($this->error('', ['encryption' => true]));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -262,12 +264,16 @@ class LostController extends Controller {
|
|||
$this->config->deleteUserValue($userId, 'core', 'lostpassword');
|
||||
@\OC::$server->getUserSession()->unsetMagicInCookie();
|
||||
} catch (HintException $e) {
|
||||
return $this->error($e->getHint());
|
||||
$response = new JSONResponse($this->error($e->getHint()));
|
||||
$response->throttle();
|
||||
return $response;
|
||||
} catch (Exception $e) {
|
||||
return $this->error($e->getMessage());
|
||||
$response = new JSONResponse($this->error($e->getMessage()));
|
||||
$response->throttle();
|
||||
return $response;
|
||||
}
|
||||
|
||||
return $this->success(['user' => $userId]);
|
||||
return new JSONResponse($this->success(['user' => $userId]));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Загрузка…
Ссылка в новой задаче