mirror of
https://github.com/phpbb/phpbb.git
synced 2025-07-30 21:40:43 +02:00
Merge remote-tracking branch 'naderman/ticket/9992' into develop-olympus
* naderman/ticket/9992: [ticket/9992] Clarify explanations of ip and account limits on login [ticket/9992] Add a comma to language for IP_LOGIN_LIMIT_MAX_EXPLAIN [ticket/9992] Use sql_fetchfield for single row and single column result [ticket/9992] Adding a limit on login attempts per IP. [ticket/9992] Make sql_create_table and sql_table_exists available in updater
This commit is contained in:
Andreas Fischer
@@ -386,6 +386,9 @@ class acp_board
|
||||
'pass_complex' => array('lang' => 'PASSWORD_TYPE', 'validate' => 'string', 'type' => 'select', 'method' => 'select_password_chars', 'explain' => true),
|
||||
'chg_passforce' => array('lang' => 'FORCE_PASS_CHANGE', 'validate' => 'int:0', 'type' => 'text:3:3', 'explain' => true, 'append' => ' ' . $user->lang['DAYS']),
|
||||
'max_login_attempts' => array('lang' => 'MAX_LOGIN_ATTEMPTS', 'validate' => 'int:0', 'type' => 'text:3:3', 'explain' => true),
|
||||
'ip_login_limit_max' => array('lang' => 'IP_LOGIN_LIMIT_MAX', 'validate' => 'int:0', 'type' => 'text:3:3', 'explain' => true),
|
||||
'ip_login_limit_time' => array('lang' => 'IP_LOGIN_LIMIT_TIME', 'validate' => 'int:0', 'type' => 'text:5:5', 'explain' => true),
|
||||
'ip_login_limit_use_forwarded' => array('lang' => 'IP_LOGIN_LIMIT_USE_FORWARDED', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true),
|
||||
'tpl_allow_php' => array('lang' => 'TPL_ALLOW_PHP', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true),
|
||||
'form_token_lifetime' => array('lang' => 'FORM_TIME_MAX', 'validate' => 'int:-1', 'type' => 'text:5:5', 'explain' => true, 'append' => ' ' . $user->lang['SECONDS']),
|
||||
'form_token_sid_guests' => array('lang' => 'FORM_SID_GUESTS', 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true),
|
||||
|
||||
@@ -908,7 +908,7 @@ class auth
|
||||
$method = 'login_' . $method;
|
||||
if (function_exists($method))
|
||||
{
|
||||
$login = $method($username, $password);
|
||||
$login = $method($username, $password, $user->ip, $user->browser, $user->forwarded_for);
|
||||
|
||||
// If the auth module wants us to create an empty profile do so and then treat the status as LOGIN_SUCCESS
|
||||
if ($login['status'] == LOGIN_SUCCESS_CREATE_PROFILE)
|
||||
|
||||
@@ -23,8 +23,21 @@ if (!defined('IN_PHPBB'))
|
||||
|
||||
/**
|
||||
* Login function
|
||||
*
|
||||
* @param string $username
|
||||
* @param string $password
|
||||
* @param string $ip IP address the login is taking place from. Used to
|
||||
* limit the number of login attempts per IP address.
|
||||
* @param string $browser The user agent used to login
|
||||
* @param string $forwarded_for X_FORWARDED_FOR header sent with login request
|
||||
* @return array A associative array of the format
|
||||
* array(
|
||||
* 'status' => status constant
|
||||
* 'error_msg' => string
|
||||
* 'user_row' => array
|
||||
* )
|
||||
*/
|
||||
function login_db(&$username, &$password)
|
||||
function login_db($username, $password, $ip = '', $browser = '', $forwarded_for = '')
|
||||
{
|
||||
global $db, $config;
|
||||
|
||||
@@ -47,13 +60,51 @@ function login_db(&$username, &$password)
|
||||
);
|
||||
}
|
||||
|
||||
$username_clean = utf8_clean_string($username);
|
||||
|
||||
$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
|
||||
WHERE username_clean = '" . $db->sql_escape($username_clean) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
if (($ip && !$config['ip_login_limit_use_forwarded']) ||
|
||||
($forwarded_for && $config['ip_login_limit_use_forwarded']))
|
||||
{
|
||||
$sql = 'SELECT COUNT(attempt_id) AS count
|
||||
FROM ' . LOGIN_ATTEMPT_TABLE . '
|
||||
WHERE attempt_time > ' . (time() - (int) $config['ip_login_limit_time']);
|
||||
if ($config['ip_login_limit_use_forwarded'])
|
||||
{
|
||||
$sql .= " AND attempt_forwarded_for = '" . $db->sql_escape($forwarded_for) . "'";
|
||||
}
|
||||
else
|
||||
{
|
||||
$sql .= " AND attempt_ip = '" . $db->sql_escape($ip) . "' ";
|
||||
}
|
||||
|
||||
$result = $db->sql_query($sql);
|
||||
$attempts = (int) $db->sql_fetchfield('count');
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
$attempt_data = array(
|
||||
'attempt_ip' => $ip,
|
||||
'attempt_browser' => $browser,
|
||||
'attempt_forwarded_for' => $forwarded_for,
|
||||
'attempt_time' => time(),
|
||||
'user_id' => ($row) ? (int) $row['user_id'] : 0,
|
||||
'username' => $username,
|
||||
'username_clean' => $username_clean,
|
||||
);
|
||||
$sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $db->sql_build_array('INSERT', $attempt_data);
|
||||
$result = $db->sql_query($sql);
|
||||
}
|
||||
else
|
||||
{
|
||||
$attempts = 0;
|
||||
}
|
||||
|
||||
if (!$row)
|
||||
{
|
||||
return array(
|
||||
@@ -62,7 +113,9 @@ function login_db(&$username, &$password)
|
||||
'user_row' => array('user_id' => ANONYMOUS),
|
||||
);
|
||||
}
|
||||
$show_captcha = $config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'];
|
||||
|
||||
$show_captcha = ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) ||
|
||||
($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']);
|
||||
|
||||
// If there are too much login attempts, we need to check for an confirm image
|
||||
// Every auth module is able to define what to do by itself...
|
||||
@@ -90,7 +143,7 @@ function login_db(&$username, &$password)
|
||||
{
|
||||
$captcha->reset();
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
// If the password convert flag is set we need to convert it
|
||||
@@ -165,6 +218,10 @@ function login_db(&$username, &$password)
|
||||
$row['user_password'] = $hash;
|
||||
}
|
||||
|
||||
$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
|
||||
WHERE user_id = ' . $row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
if ($row['user_login_attempts'] != 0)
|
||||
{
|
||||
// Successful, reset login attempts (the user passed all stages)
|
||||
|
||||
@@ -236,6 +236,7 @@ define('GROUPS_TABLE', $table_prefix . 'groups');
|
||||
define('ICONS_TABLE', $table_prefix . 'icons');
|
||||
define('LANG_TABLE', $table_prefix . 'lang');
|
||||
define('LOG_TABLE', $table_prefix . 'log');
|
||||
define('LOGIN_ATTEMPT_TABLE', $table_prefix . 'login_attempts');
|
||||
define('MODERATOR_CACHE_TABLE', $table_prefix . 'moderator_cache');
|
||||
define('MODULES_TABLE', $table_prefix . 'modules');
|
||||
define('POLL_OPTIONS_TABLE', $table_prefix . 'poll_options');
|
||||
|
||||
@@ -638,6 +638,19 @@ class phpbb_db_tools
|
||||
$sqlite = true;
|
||||
}
|
||||
|
||||
// Add tables?
|
||||
if (!empty($schema_changes['add_tables']))
|
||||
{
|
||||
foreach ($schema_changes['add_tables'] as $table => $table_data)
|
||||
{
|
||||
$result = $this->sql_create_table($table, $table_data);
|
||||
if ($this->return_statements)
|
||||
{
|
||||
$statements = array_merge($statements, $result);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Change columns?
|
||||
if (!empty($schema_changes['change_columns']))
|
||||
{
|
||||
|
||||
@@ -1006,6 +1006,10 @@ class session
|
||||
include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx);
|
||||
}
|
||||
phpbb_captcha_factory::garbage_collect($config['captcha_plugin']);
|
||||
|
||||
$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
|
||||
WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
|
||||
$db->sql_query($sql);
|
||||
}
|
||||
|
||||
return;
|
||||
|
||||
Reference in New Issue
Block a user