Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php)

2015-12-04 17:02:31 +01:00
parent cc66b612ef
commit 6604fbb6e1
2 changed files with 49 additions and 4 deletions
--- a/server/_user
+++ b/server/_user
@@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2014 Grégory Soutadé
+  Copyright (C) 2013-2015 Grégory Soutadé
  
  This file is part of gPass.
  
@@ -22,14 +22,40 @@ include("conf.php");

 function load_database()
 {
+    global $REQUESTS_MIN_DELAY;
+
    try {
-        $db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
+        $db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READWRITE);
    }
    catch(Exception $e)
    {
        die("<b>Unable to load database for user $user !</b><br/>");
        return null;
    }
+
+    list($usec, $sec) = explode(" ", microtime());
+    $usec = $usec + $sec*1000;
+
+    try {
+        $last_time = $db->querySingle("SELECT last_access_time FROM conf");
+        if ($last_time <= $usec &&
+        ($usec - $last_time) < $REQUESTS_MIN_DELAY)
+        {
+            // Brute force ??
+            $db->close();
+            return null;
+        }
+        $db->query("UPDATE conf SET last_access_time=$usec");
+        $db->close();
+        $db = new SQLite3("./gpass.bdd", SQLITE3_OPEN_READONLY);
+    }
+    catch(Exception $e)
+    {
+        $db->close();
+        die("<b>Unable to load database for user $user !</b><br/>");
+        return null;
+    }
+
    return $db;
 }

@@ -45,7 +71,7 @@ echo "protocol=gpass-$PROTOCOL_VERSION\n";
 if ($PKDBF2_LEVEL != 1000)
    echo "pkdbf2_level=$PKDBF2_LEVEL\n";

-for ($i=0; isset($_POST["k$i"]); $i++)
+for ($i=0; $i<$MAX_PASSWORDS_PER_REQUEST && isset($_POST["k$i"]); $i++)
 {
    $statement->bindValue(":login", addslashes($_POST["k$i"]));
    $result = $statement->execute();
--- a/server/conf.php
+++ b/server/conf.php
@@ -1,6 +1,6 @@
 <?php
 /*
-  Copyright (C) 2013-2014 Grégory Soutadé
+  Copyright (C) 2013-2015 Grégory Soutadé
  
  This file is part of gPass.
  
@@ -60,4 +60,23 @@ $PKDBF2_LEVEL=1000;
  standard crypto API will be stable it will be enabled by default.
 */
 $USE_SHADOW_LOGINS=0;
+
+/*
+  Protection against DDoS.
+  Each request can contains multiple password combination
+  (to support wildcards for example) and multiple names.
+  Currently only two passwords are sent from addon :
+      www.example.com
+      *.example.com
+  But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
+  For maximum security, you can set it to 2.
+ */
+$MAX_PASSWORDS_PER_REQUEST=10;
+
+/*
+  Protection against brute force.
+  Minimum delay (in milliseconds) between two requests.
+ */
+$REQUESTS_MIN_DELAY=1000;
+
 ?>