# HG changeset patch # User Dan # Date 1191809175 14400 # Node ID c69730750be34cd42fdd7a28ac62907589f7d937 # Parent 06bdbdfec160995ac03dd6722a5a442846300e2b Fixed the security hole (really, I'm a moron - used $failed > $threshold instead of $failed >= $threashold) and patched up some...erm... math issues diff -r 06bdbdfec160 -r c69730750be3 includes/clientside/static/misc.js --- a/includes/clientside/static/misc.js Sun Oct 07 21:41:42 2007 -0400 +++ b/includes/clientside/static/misc.js Sun Oct 07 22:06:15 2007 -0400 @@ -337,8 +337,7 @@ $attempts = parseInt($data['lockout_fails']); if ( $attempts > $data['lockout_threshold']) $attempts = $data['lockout_threshold']; - window.console.debug('server time ', $data.server_time, ', last time ', $data['lockout_last_time'], ', duration ', $data['lockout_duration']); - $time_rem = $data.lockout_duration - Math.round( ( $data.server_time - $data.lockout_last_time ) / 60 ); + $time_rem = $data.time_rem; $s = ( $time_rem == 1 ) ? '' : 's'; $errstring = "You have used up all "+$data['lockout_threshold']+" allowed login attempts. Please wait "+$time_rem+" minute"+$s+" before attempting to log in again"; if ( $data['lockout_policy'] == 'captcha' ) diff -r 06bdbdfec160 -r c69730750be3 includes/sessions.php --- a/includes/sessions.php Sun Oct 07 21:41:42 2007 -0400 +++ b/includes/sessions.php Sun Oct 07 22:06:15 2007 -0400 @@ -577,7 +577,7 @@ $timestamp_cutoff = time() - $duration; $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); $fails = $db->numrows(); - if ( $fails > $threshold ) + if ( $fails >= $threshold ) { // ooh boy, somebody's in trouble ;-) $row = $db->fetchrow(); @@ -589,6 +589,7 @@ 'lockout_duration' => ( $duration / 60 ), 'lockout_fails' => $fails, 'lockout_policy' => $policy, + 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ), 'lockout_last_time' => $row['timestamp'] ); } @@ -650,6 +651,7 @@ 'lockout_threshold' => $threshold, 'lockout_duration' => ( $duration / 60 ), 'lockout_fails' => $fails, + 'time_rem' => ( $duration / 60 ), 'lockout_policy' => $policy ); } @@ -761,6 +763,7 @@ 'lockout_threshold' => $threshold, 'lockout_duration' => ( $duration / 60 ), 'lockout_fails' => $fails, + 'time_rem' => ( $duration / 60 ), 'lockout_policy' => $policy ); } @@ -825,6 +828,7 @@ 'lockout_duration' => ( $duration / 60 ), 'lockout_fails' => $fails, 'lockout_policy' => $policy, + 'time_rem' => $duration - round( ( time() - $row['timestamp'] ) / 60 ), 'lockout_last_time' => $row['timestamp'] ); } diff -r 06bdbdfec160 -r c69730750be3 plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Sun Oct 07 21:41:42 2007 -0400 +++ b/plugins/SpecialUserFuncs.php Sun Oct 07 22:06:15 2007 -0400 @@ -128,7 +128,7 @@ 'lockout_fails' => $fails, 'lockout_policy' => $policy, 'lockout_last_time' => $row['timestamp'], - 'server_time' => time(), + 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ), 'captcha' => '' ); if ( $policy == 'captcha' ) @@ -214,8 +214,10 @@ $attempts = intval($__login_status['lockout_fails']); if ( $attempts > $__login_status['lockout_threshold']) $attempts = $__login_status['lockout_threshold']; - $time_rem = ( $__login_status['lockout_last_time'] % ( $__login_status['lockout_duration'] * 60 ) ); - $time_rem = $__login_status['lockout_duration'] - round($time_rem / 60); + + $server_time = time(); + $time_rem = $__login_status['lockout_duration'] - round( ( $server_time - $__login_status['lockout_last_time'] ) / 60 ); + $s = ( $time_rem == 1 ) ? '' : 's'; $errstring = "You have used up all {$__login_status['lockout_threshold']} allowed login attempts. Please wait {$time_rem} minute$s before attempting to log in again"; if ( $__login_status['lockout_policy'] == 'captcha' )