diff options
| author | Andy Staudacher <andy.st@gmail.com> | 2010-01-30 21:42:57 -0800 |
|---|---|---|
| committer | Andy Staudacher <andy.st@gmail.com> | 2010-01-30 21:42:57 -0800 |
| commit | 1470b99d1facd07fcb46c0c4e46896d339f5a75a (patch) | |
| tree | 2e5198c80e014b94c5b5156cc8d7ee5b9e7480c6 /modules/gallery/helpers | |
| parent | cb92e58d40bfa866c07b10fe189bd653074a9917 (diff) | |
Protect REST login controller from brute force attacks too.
And make the REST auth token less predictable by using a better source for randomness.
Diffstat (limited to 'modules/gallery/helpers')
| -rw-r--r-- | modules/gallery/helpers/auth.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php index e112f127..8c7a0b6d 100644 --- a/modules/gallery/helpers/auth.php +++ b/modules/gallery/helpers/auth.php @@ -64,14 +64,19 @@ class auth_Core { * minute. */ static function validate_too_many_failed_logins($name_input) { + $name = is_object($name_input) ? $name_input->value : $name_input; $failed_login = ORM::factory("failed_login") - ->where("name", "=", $name_input->value) + ->where("name", "=", $name) ->find(); if ($failed_login->loaded() && $failed_login->count > 5 && (time() - $failed_login->time < 60)) { - $name_input->add_error("too_many_failed_logins", 1); + if (is_object($name_input)) { + $name_input->add_error("too_many_failed_logins", 1); + } + return false; } + return true; } /** |