From 6604fbb6e11fbee803a5b3f1c0178f181e143e99 Mon Sep 17 00:00:00 2001
From: Gregory Soutade <gregory@soutade.fr>
Date: Fri, 4 Dec 2015 17:02:31 +0100
Subject: [PATCH] Add two new protections : REQUESTS_MIN_DELAY and
 MAX_PASSWORDS_PER_REQUEST (see conf.php)

---
 server/_user    | 32 +++++++++++++++++++++++++++++---
 server/conf.php | 21 ++++++++++++++++++++-
 2 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/server/_user b/server/_user
index 65e38db..3a3e6a1 100644
--- a/server/_user
+++ b/server/_user
@@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2014 Grégory Soutadé
+  Copyright (C) 2013-2015 Grégory Soutadé
   
   This file is part of gPass.
   
@@ -22,14 +22,40 @@ include("conf.php");
 
 function load_database()
 {
+    global $REQUESTS_MIN_DELAY;
+
     try {
-        $db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
+        $db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READWRITE);
     }
     catch(Exception $e)
     {
         die("<b>Unable to load database for user $user !</b><br/>");
         return null;
     }
+
+    list($usec, $sec) = explode(" ", microtime());
+    $usec = $usec + $sec*1000;
+
+    try {
+        $last_time = $db->querySingle("SELECT last_access_time FROM conf");
+        if ($last_time <= $usec &&
+        ($usec - $last_time) < $REQUESTS_MIN_DELAY)
+        {
+            // Brute force ??
+            $db->close();
+            return null;
+        }
+        $db->query("UPDATE conf SET last_access_time=$usec");
+        $db->close();
+        $db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
+    }
+    catch(Exception $e)
+    {
+        $db->close();
+        die("<b>Unable to load database for user $user !</b><br/>");
+        return null;
+    }
+
     return $db;
 }
 
@@ -45,7 +71,7 @@ echo "protocol=gpass-$PROTOCOL_VERSION\n";
 if ($PKDBF2_LEVEL != 1000)
     echo "pkdbf2_level=$PKDBF2_LEVEL\n";
 
-for ($i=0; isset($_POST["k$i"]); $i++)
+for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
 {
     $statement->bindValue(":login", addslashes($_POST["k$i"]));
     $result = $statement->execute();
diff --git a/server/conf.php b/server/conf.php
index 28c005c..dbc8844 100644
--- a/server/conf.php
+++ b/server/conf.php
@@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2014 Grégory Soutadé
+  Copyright (C) 2013-2015 Grégory Soutadé
   
   This file is part of gPass.
   
@@ -60,4 +60,23 @@ $PKDBF2_LEVEL=1000;
   standard crypto API will be stable it will be enabled by default.
 */
 $USE_SHADOW_LOGINS=0;
+
+/*
+  Protection against DDoS.
+  Each request can contains multiple password combination
+  (to support wildcards for example) and multiple names.
+  Currently only two passwords are sent from addon :
+      www.example.com
+      *.example.com
+  But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
+  For maximum security, you can set it to 2.
+ */
+$MAX_PASSWORDS_PER_REQUEST=10;
+
+/*
+  Protection against brute force.
+  Minimum delay (in milliseconds) between two requests.
+ */
+$REQUESTS_MIN_DELAY=1000;
+
 ?>
\ No newline at end of file