michael/webmin
1
0
Fork 0
mirror of https://github.com/webmin/webmin.git synced 2026-02-03 06:03:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Rate limit before checking if the user exists

Browse Source
This commit is contained in:
Jamie Cameron
2025-04-26 14:44:37 -07:00
parent 7ff37cd12f
commit 9bd96b6448
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
forgot_send.cgi
View File

@@ -16,10 +16,7 @@ $remote_user && &error($text{'forgot_elogin'});
# Lookup the Webmin user
&foreign_require("acl");
my ($wuser) = grep { lc($_->{'name'}) eq lc($in{'forgot'}) } &acl::list_users();
$wuser && $wuser->{'email'} || &error($text{'forgot_euser'});
($wuser->{'sync'} || $wuser->{'pass'} eq 'e') && &error($text{'forgot_esync'});
$wuser->{'pass'} eq '*LK*' && &error($text{'forgot_elock'});
my $email = $wuser->{'email'};
my $email = $wuser ? $wuser->{'email'} : undef;
# Check if the IP or Webmin user is over it's rate limit
&make_dir($main::forgot_password_link_dir, 0700);
@@ -30,7 +27,9 @@ my %ratelimit;
my $now = time();
my $rlerr;
my $maxtries = 0;
foreach my $key ($ENV{'REMOTE_ADDR'}, $wuser->{'name'}, $wuser->{'email'}) {
foreach my $key ($ENV{'REMOTE_ADDR'},
$wuser ? ( $wuser->{'name'} ) : ( ),
$email ? ( $email ) : ( )) {
if (!$ratelimit{$key."_last"} ||
$ratelimit{$key."_last"} < $now-5*60) {
# More than 5 mins since the last try, so reset counter
@@ -66,6 +65,11 @@ foreach my $k (@cleanup) {
sleep($maxtries);
&error($rlerr) if ($rlerr);
# Make sure the Webmin user exists and is eligible for a reset
$wuser && $wuser->{'email'} || &error($text{'forgot_euser'});
($wuser->{'sync'} || $wuser->{'pass'} eq 'e') && &error($text{'forgot_esync'});
$wuser->{'pass'} eq '*LK*' && &error($text{'forgot_elock'});
# Generate a random ID for this password reset
my %link = ( 'id' => &generate_random_id(),
'remote' => $ENV{'REMOTE_ADDR'},