Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
Browse Source

fix(lostpassword): Also rate limit the setPassword endpoint 

Signed-off-by: Joas Schilling <coding@schilljs.com>
pull/38267/head
Joas Schilling 2 years ago
parent
e18f97fc95
commit
7ee81b6555
No known key found for this signature in database GPG Key ID: 74434EFE0D2E2205
1 changed files with 12 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      core/Controller/LostController.php

18
core/Controller/LostController.php
View File

@ -201,7 +201,7 @@ class LostController extends Controller {
}
$user = trim($user);
\OCP\Util::emitHook(
'\OCA\Files_Sharing\API\Server2Server',
'preLoginNameUsedAsUserName',
@ -225,8 +225,10 @@ class LostController extends Controller {
/**
* @PublicPage
* @BruteForceProtection(action=passwordResetEmail)
* @AnonRateThrottle(limit=10, period=300)
*/
public function setPassword(string $token, string $userId, string $password, bool $proceed): array {
public function setPassword(string $token, string $userId, string $password, bool $proceed): JSONResponse {
if ($this->encryptionManager->isEnabled() && !$proceed) {
$encryptionModules = $this->encryptionManager->getEncryptionModules();
foreach ($encryptionModules as $module) {
@ -234,7 +236,7 @@ class LostController extends Controller {
$instance = call_user_func($module['callback']);
// this way we can find out whether per-user keys are used or a system wide encryption key
if ($instance->needDetailedAccessList()) {
return $this->error('', ['encryption' => true]);
return new JSONResponse($this->error('', ['encryption' => true]));
}
}
}
@ -262,12 +264,16 @@ class LostController extends Controller {
$this->config->deleteUserValue($userId, 'core', 'lostpassword');
@\OC::$server->getUserSession()->unsetMagicInCookie();
} catch (HintException $e) {
return $this->error($e->getHint());
$response = new JSONResponse($this->error($e->getHint()));
$response->throttle();
return $response;
} catch (Exception $e) {
return $this->error($e->getMessage());
$response = new JSONResponse($this->error($e->getMessage()));
$response->throttle();
return $response;
}
return $this->success(['user' => $userId]);
return new JSONResponse($this->success(['user' => $userId]));
}
/**

Write Preview
Loading…
Cancel
Save