Skip to content

Commit 048aa46

Browse files
splitbrainsplitbrain
authored
Merge pull request dokuwiki#4492 from dokuwiki/logintiming
add random delay on login dokuwiki#4491
2 parents 9b006b5 + 9c952d3 commit 048aa46

File tree

3 files changed

+9
-2
lines changed

3 files changed

+9
-2
lines changed

inc/auth.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -305,6 +305,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false)
305305

306306
if (!empty($user)) {
307307
//usual login
308+
if (!empty($pass)) usleep(rand(0, 250)); // add a random delay to prevent timing attacks #4491
308309
if (!empty($pass) && $auth->checkPass($user, $pass)) {
309310
// make logininfo globally available
310311
$INPUT->server->set('REMOTE_USER', $user);

lib/plugins/authpdo/auth.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,10 @@ public function checkPass($user, $pass)
123123
{
124124

125125
$userdata = $this->selectUser($user);
126-
if ($userdata == false) return false;
126+
if ($userdata === false) {
127+
auth_cryptPassword('dummy'); // run a crypt op to prevent timing attacks
128+
return false;
129+
}
127130

128131
// password checking done in SQL?
129132
if ($this->checkConfig(['check-pass'])) {

lib/plugins/authplain/auth.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,10 @@ public function __construct()
6868
public function checkPass($user, $pass)
6969
{
7070
$userinfo = $this->getUserData($user);
71-
if ($userinfo === false) return false;
71+
if ($userinfo === false) {
72+
auth_cryptPassword('dummy'); // run a crypt op to prevent timing attacks
73+
return false;
74+
}
7275

7376
return auth_verifyPassword($pass, $this->users[$user]['pass']);
7477
}

0 commit comments

Comments
 (0)