Bug 70050 - Change MAX_LOGIN_ATTEMPTS to a parameter
git-svn-id: svn://svn.office.custis.ru/3rdparty/bugzilla.org/trunk@964 6955db30-a419-402b-8a0d-67ecbb4d7f56master
parent
9c51c3770a
commit
19c65abca7
|
@ -169,7 +169,7 @@ sub _handle_login_result {
|
||||||
# the password was just wrong. (This makes it harder for a cracker
|
# the password was just wrong. (This makes it harder for a cracker
|
||||||
# to find account names by brute force)
|
# to find account names by brute force)
|
||||||
elsif ($fail_code == AUTH_LOGINFAILED or $fail_code == AUTH_NO_SUCH_USER) {
|
elsif ($fail_code == AUTH_LOGINFAILED or $fail_code == AUTH_NO_SUCH_USER) {
|
||||||
my $remaining_attempts = MAX_LOGIN_ATTEMPTS
|
my $remaining_attempts = Bugzilla->params->{max_login_attempts}
|
||||||
- ($result->{failure_count} || 0);
|
- ($result->{failure_count} || 0);
|
||||||
ThrowUserError("invalid_username_or_password",
|
ThrowUserError("invalid_username_or_password",
|
||||||
{ remaining => $remaining_attempts });
|
{ remaining => $remaining_attempts });
|
||||||
|
@ -188,8 +188,8 @@ sub _handle_login_result {
|
||||||
|
|
||||||
# We want to know when the account will be unlocked. This is
|
# We want to know when the account will be unlocked. This is
|
||||||
# determined by the 5th-from-last login failure (or more/less than
|
# determined by the 5th-from-last login failure (or more/less than
|
||||||
# 5th, if MAX_LOGIN_ATTEMPTS is not 5).
|
# 5th, if Bugzilla->params->{max_login_attempts} is not 5).
|
||||||
my $determiner = $attempts->[scalar(@$attempts) - MAX_LOGIN_ATTEMPTS];
|
my $determiner = $attempts->[scalar(@$attempts) - Bugzilla->params->{max_login_attempts}];
|
||||||
my $unlock_at = datetime_from($determiner->{login_time},
|
my $unlock_at = datetime_from($determiner->{login_time},
|
||||||
Bugzilla->local_timezone);
|
Bugzilla->local_timezone);
|
||||||
$unlock_at->add(minutes => Bugzilla->params->{login_lockout_interval});
|
$unlock_at->add(minutes => Bugzilla->params->{login_lockout_interval});
|
||||||
|
|
|
@ -135,6 +135,13 @@ sub get_param_list {
|
||||||
default => ''
|
default => ''
|
||||||
},
|
},
|
||||||
|
|
||||||
|
{
|
||||||
|
name => 'max_login_attempts',
|
||||||
|
type => 't',
|
||||||
|
default => 5,
|
||||||
|
checker => sub { $_[0] =~ /^\d+$/so ? "" : "must be a positive integer value or 0 (means no limit)" },
|
||||||
|
},
|
||||||
|
|
||||||
{
|
{
|
||||||
name => 'login_lockout_interval',
|
name => 'login_lockout_interval',
|
||||||
type => 't',
|
type => 't',
|
||||||
|
|
|
@ -156,7 +156,6 @@ use Cwd qw(abs_path);
|
||||||
MAX_TOKEN_AGE
|
MAX_TOKEN_AGE
|
||||||
MAX_LOGINCOOKIE_AGE
|
MAX_LOGINCOOKIE_AGE
|
||||||
MAX_SUDO_TOKEN_AGE
|
MAX_SUDO_TOKEN_AGE
|
||||||
MAX_LOGIN_ATTEMPTS
|
|
||||||
|
|
||||||
SAFE_PROTOCOLS
|
SAFE_PROTOCOLS
|
||||||
LEGAL_CONTENT_TYPES
|
LEGAL_CONTENT_TYPES
|
||||||
|
@ -390,9 +389,6 @@ use constant MAX_LOGINCOOKIE_AGE => 30;
|
||||||
# How many seconds (default is 6 hours) a sudo cookie remains valid.
|
# How many seconds (default is 6 hours) a sudo cookie remains valid.
|
||||||
use constant MAX_SUDO_TOKEN_AGE => 21600;
|
use constant MAX_SUDO_TOKEN_AGE => 21600;
|
||||||
|
|
||||||
# Maximum failed logins to lock account for this IP
|
|
||||||
use constant MAX_LOGIN_ATTEMPTS => 5;
|
|
||||||
|
|
||||||
# Protocols which are considered as safe.
|
# Protocols which are considered as safe.
|
||||||
use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
|
use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
|
||||||
'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',
|
'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',
|
||||||
|
|
|
@ -1761,7 +1761,7 @@ sub create {
|
||||||
sub account_is_locked_out {
|
sub account_is_locked_out {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
my $login_failures = scalar @{ $self->account_ip_login_failures };
|
my $login_failures = scalar @{ $self->account_ip_login_failures };
|
||||||
return $login_failures >= MAX_LOGIN_ATTEMPTS ? 1 : 0;
|
return Bugzilla->params->{max_login_attempts} && $login_failures >= Bugzilla->params->{max_login_attempts} ? 1 : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub note_login_failure {
|
sub note_login_failure {
|
||||||
|
|
|
@ -132,6 +132,8 @@
|
||||||
fof_sudo_mynetworks => "Comma-separated list of network masks in the form of xxx.xxx.xxx.xxx/xx " _
|
fof_sudo_mynetworks => "Comma-separated list of network masks in the form of xxx.xxx.xxx.xxx/xx " _
|
||||||
"(for example 127.0.0.1/32) from which FOF_Sudo authorization is allowed.",
|
"(for example 127.0.0.1/32) from which FOF_Sudo authorization is allowed.",
|
||||||
|
|
||||||
|
max_login_attempts => "Maximum failed logins to lock account for one IP address. 0 means no limit.",
|
||||||
|
|
||||||
login_lockout_interval => "If the maximum login attempts occur during this many minutes, the account is locked.",
|
login_lockout_interval => "If the maximum login attempts occur during this many minutes, the account is locked.",
|
||||||
|
|
||||||
} %]
|
} %]
|
||||||
|
|
|
@ -26,7 +26,7 @@ Subject: [[% terms.Bugzilla %]] Account Lock-Out: [% locked_user.login %] ([% at
|
||||||
X-Bugzilla-Type: admin
|
X-Bugzilla-Type: admin
|
||||||
|
|
||||||
The IP address [% attempts.0.ip_addr %] failed too many login attempts (
|
The IP address [% attempts.0.ip_addr %] failed too many login attempts (
|
||||||
[%- constants.MAX_LOGIN_ATTEMPTS +%]) for
|
[%- Param('max_login_attempts') +%]) for
|
||||||
the account [% locked_user.login %].
|
the account [% locked_user.login %].
|
||||||
|
|
||||||
The login attempts occurred at these times:
|
The login attempts occurred at these times:
|
||||||
|
|
Loading…
Reference in New Issue