Patch #485974: rate limit login attempts. From: damz --- common.inc | 13 ++++++++++++ user/user.module | 13 ++++++++++-- user/user.test | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+), 2 deletions(-) diff --git includes/common.inc includes/common.inc index f84745e..6d7bfc1 100644 --- includes/common.inc +++ includes/common.inc @@ -1270,6 +1270,19 @@ function flood_register_event($name) { } /** + * Make the flood control mechanism forget about an event for the current visitor (hostname/IP). + * + * @param $name + * The name of an event. + */ +function flood_clear_event($name) { + db_delete('flood') + ->condition('event', $name) + ->condition('hostname', ip_address()) + ->execute(); +} + +/** * Check if the current visitor (hostname/IP) is allowed to proceed with the specified event. * * The user is allowed to proceed if he did not trigger the specified event more diff --git modules/user/user.module modules/user/user.module index 3749e1f..e6e1041 100644 --- modules/user/user.module +++ modules/user/user.module @@ -1635,8 +1635,17 @@ function user_login_authenticate_validate($form, &$form_state) { */ function user_login_final_validate($form, &$form_state) { if (empty($form_state['uid'])) { - form_set_error('name', t('Sorry, unrecognized username or password. Have you forgotten your password?', array('@password' => url('user/password')))); - watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name'])); + if (!flood_is_allowed('failed_login_attempt', variable_get('user_login_hourly_limit', 20))) { + form_set_error('name', t('Sorry, too many failed password attempts, you are temporarily prohibited from logging in. Please try again later.')); + } + else { + form_set_error('name', t('Sorry, unrecognized username or password. Have you forgotten your password?', array('@password' => url('user/password')))); + watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name'])); + } + flood_register_event('failed_login_attempt'); + } + else { + flood_clear_event('failed_login_attempt'); } } diff --git modules/user/user.test modules/user/user.test index a661258..191f2ca 100644 --- modules/user/user.test +++ modules/user/user.test @@ -159,6 +159,63 @@ class UserValidationTestCase extends DrupalWebTestCase { } } +class UserLoginTestCase extends DrupalWebTestCase { + public static function getInfo() { + return array( + 'name' => 'User login', + 'description' => 'Ensure that login works as expected.', + 'group' => 'User', + ); + } + + /** + * Test login flood control. + */ + function testLoginFloodControl() { + $user = $this->drupalCreateUser(array()); + variable_set('user_login_hourly_limit', 4); + + // Try 2 failed logins. + for ($i = 0; $i < 2; $i++) { + $this->drupalFailedLogin($user, FALSE); + } + + // Try one successful login, it should reset the flood control mechanism. + $this->drupalLogin($user); + $this->drupalLogout(); + + // Try 4 more failed logins, they should not trigger the flood control mechanism. + for ($i = 0; $i < 4; $i++) { + $this->drupalFailedLogin($user, FALSE); + } + + // The next login trial should result in a flood error message. + $this->drupalFailedLogin($user, TRUE); + } + + /** + * Make an unsuccessful login attempt. + * + * @param $user + * The user. + * @param $flood + * Whether to expect or not that the flood control mechanism will be triggered. + */ + function drupalFailedLogin($user, $flood = FALSE) { + $edit = array( + 'name' => $user->name, + 'pass' => $this->randomName(), + ); + $this->drupalPost('user', $edit, t('Log in')); + if ($flood) { + $this->assertRaw(t('Sorry, too many failed password attempts, you are temporarily prohibited from logging in. Please try again later.')); + } + else { + $this->assertRaw(t('Sorry, unrecognized username or password. Have you forgotten your password?', array('@password' => url('user/password')))); + } + } +} + class UserCancelTestCase extends DrupalWebTestCase { public static function getInfo() { return array(