From 704eb3aa6cecc0a646f5cca4290b595f493f9ed3 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 20 Jan 2023 13:10:09 +0100 Subject: [PATCH 1/2] Add bruteforce protection to password reset page Signed-off-by: Joas Schilling --- core/Controller/LostController.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 6176e3cd5e58e..044535c345bc9 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -128,6 +128,8 @@ public function __construct( * * @PublicPage * @NoCSRFRequired + * @BruteForceProtection(action=passwordResetEmail) + * @AnonRateThrottle(limit=10, period=300) */ public function resetform(string $token, string $userId): TemplateResponse { try { @@ -137,12 +139,14 @@ public function resetform(string $token, string $userId): TemplateResponse { || ($e instanceof InvalidTokenException && !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN])) ) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ "errors" => [["error" => $e->getMessage()]] ], TemplateResponse::RENDER_AS_GUEST ); + $response->throttle(); + return $response; } return new TemplateResponse('core', 'error', [ 'errors' => [['error' => $this->l10n->t('Password reset is disabled')]] From 875e6cf7e6d5a469922fc6e542db8388cedcff01 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Mon, 6 Feb 2023 11:26:38 +0100 Subject: [PATCH 2/2] fix(CI): Adjust expected result Signed-off-by: Joas Schilling --- tests/Core/Controller/LostControllerTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Core/Controller/LostControllerTest.php b/tests/Core/Controller/LostControllerTest.php index 3f62c522627ef..e95c3fa1c51c0 100644 --- a/tests/Core/Controller/LostControllerTest.php +++ b/tests/Core/Controller/LostControllerTest.php @@ -171,6 +171,7 @@ public function testResetFormTokenError() { ] ], 'guest'); + $expectedResponse->throttle(); $this->assertEquals($expectedResponse, $response); }