Fixed the security hole (really, I'm a moron - used $failed > $threshold instead of $failed >= $threashold) and patched up some...erm... math issues
--- a/includes/clientside/static/misc.js Sun Oct 07 21:41:42 2007 -0400
+++ b/includes/clientside/static/misc.js Sun Oct 07 22:06:15 2007 -0400
@@ -337,8 +337,7 @@
$attempts = parseInt($data['lockout_fails']);
if ( $attempts > $data['lockout_threshold'])
$attempts = $data['lockout_threshold'];
- window.console.debug('server time ', $data.server_time, ', last time ', $data['lockout_last_time'], ', duration ', $data['lockout_duration']);
- $time_rem = $data.lockout_duration - Math.round( ( $data.server_time - $data.lockout_last_time ) / 60 );
+ $time_rem = $data.time_rem;
$s = ( $time_rem == 1 ) ? '' : 's';
$errstring = "You have used up all "+$data['lockout_threshold']+" allowed login attempts. Please wait "+$time_rem+" minute"+$s+" before attempting to log in again";
if ( $data['lockout_policy'] == 'captcha' )
--- a/includes/sessions.php Sun Oct 07 21:41:42 2007 -0400
+++ b/includes/sessions.php Sun Oct 07 22:06:15 2007 -0400
@@ -577,7 +577,7 @@
$timestamp_cutoff = time() - $duration;
$q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
$fails = $db->numrows();
- if ( $fails > $threshold )
+ if ( $fails >= $threshold )
{
// ooh boy, somebody's in trouble ;-)
$row = $db->fetchrow();
@@ -589,6 +589,7 @@
'lockout_duration' => ( $duration / 60 ),
'lockout_fails' => $fails,
'lockout_policy' => $policy,
+ 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ),
'lockout_last_time' => $row['timestamp']
);
}
@@ -650,6 +651,7 @@
'lockout_threshold' => $threshold,
'lockout_duration' => ( $duration / 60 ),
'lockout_fails' => $fails,
+ 'time_rem' => ( $duration / 60 ),
'lockout_policy' => $policy
);
}
@@ -761,6 +763,7 @@
'lockout_threshold' => $threshold,
'lockout_duration' => ( $duration / 60 ),
'lockout_fails' => $fails,
+ 'time_rem' => ( $duration / 60 ),
'lockout_policy' => $policy
);
}
@@ -825,6 +828,7 @@
'lockout_duration' => ( $duration / 60 ),
'lockout_fails' => $fails,
'lockout_policy' => $policy,
+ 'time_rem' => $duration - round( ( time() - $row['timestamp'] ) / 60 ),
'lockout_last_time' => $row['timestamp']
);
}
--- a/plugins/SpecialUserFuncs.php Sun Oct 07 21:41:42 2007 -0400
+++ b/plugins/SpecialUserFuncs.php Sun Oct 07 22:06:15 2007 -0400
@@ -128,7 +128,7 @@
'lockout_fails' => $fails,
'lockout_policy' => $policy,
'lockout_last_time' => $row['timestamp'],
- 'server_time' => time(),
+ 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ),
'captcha' => ''
);
if ( $policy == 'captcha' )
@@ -214,8 +214,10 @@
$attempts = intval($__login_status['lockout_fails']);
if ( $attempts > $__login_status['lockout_threshold'])
$attempts = $__login_status['lockout_threshold'];
- $time_rem = ( $__login_status['lockout_last_time'] % ( $__login_status['lockout_duration'] * 60 ) );
- $time_rem = $__login_status['lockout_duration'] - round($time_rem / 60);
+
+ $server_time = time();
+ $time_rem = $__login_status['lockout_duration'] - round( ( $server_time - $__login_status['lockout_last_time'] ) / 60 );
+
$s = ( $time_rem == 1 ) ? '' : 's';
$errstring = "You have used up all {$__login_status['lockout_threshold']} allowed login attempts. Please wait {$time_rem} minute$s before attempting to log in again";
if ( $__login_status['lockout_policy'] == 'captcha' )