scottk/Mailu
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/Mailu.git synced 2025-11-04 03:57:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make it happen post-deduplication

Browse Source
This commit is contained in:
Florent Daigniere
2023-04-16 12:57:20 +02:00
parent 21ed7b69a8
commit 5a55d1824e
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/admin/mailu/limiter.py
View File

@@ -71,12 +71,12 @@ class LimitWraperFactory(object):
def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None, password=''): def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None, password=''):
limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user') limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
if self.is_subject_to_rate_limits(ip): if self.is_subject_to_rate_limits(ip):
self.rate_limit_ip(ip, username)
truncated_password = hmac.new(bytearray(username, 'utf-8'), bytearray(password, 'utf-8'), 'sha256').hexdigest()[-6:] truncated_password = hmac.new(bytearray(username, 'utf-8'), bytearray(password, 'utf-8'), 'sha256').hexdigest()[-6:]
if password and (self.storage.get(f'dedup2-{username}-{truncated_password}') > 0): if password and (self.storage.get(f'dedup2-{username}-{truncated_password}') > 0):
return return
self.storage.incr(f'dedup2-{username}-{truncated_password}', limits.parse(app.config['AUTH_RATELIMIT_USER']).GRANULARITY.seconds, True) self.storage.incr(f'dedup2-{username}-{truncated_password}', limits.parse(app.config['AUTH_RATELIMIT_USER']).GRANULARITY.seconds, True)
limiter.hit(device_cookie if device_cookie_name == username else username) limiter.hit(device_cookie if device_cookie_name == username else username)
self.rate_limit_ip(ip, username)
""" Device cookies as described on: """ Device cookies as described on:
https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies