Honeypot time limit applied is always at least double configured value plus one.

$honeypot_time_limit = $honeypot_time_limit + (int) min($honeypot_time_limit + exp($number), 2592000);

should be

$honeypot_time_limit = (int) min($honeypot_time_limit + exp($number), 2592000) - 1;

perhaps.

CommentFileSizeAuthor
#3 2277089-fix-for-time-limit-doubling.patch1.35 KBdrupoz
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

drupoz’s picture

drupoz CreditAttribution: drupoz commented

or

$honeypot_time_limit = (int) min($honeypot_time_limit + exp($number) - 1, 2592000);

rather.

drupoz’s picture

drupoz CreditAttribution: drupoz commented
Assigned: Unassigned » drupoz
Status: Active » Needs work
drupoz’s picture

drupoz CreditAttribution: drupoz commented
FileSize
2277089-fix-for-time-limit-doubling.patch1.35 KB
geerlingguy’s picture

geerlingguy CreditAttribution: geerlingguy commented
Version: 7.x-1.16 » 7.x-1.x-dev

This bug exists in 7.x as well? I thought I had it fixed... but I'll do more testing, and also make sure we add an automated test for this—don't want to reintroduce the bug again at a later time...

geerlingguy’s picture

geerlingguy CreditAttribution: geerlingguy commented
Status: Needs work » Needs review

  • Commit 76cffcf on 7.x-1.x by geerlingguy: 
    Issue #2277089 by drupoz: Time limit is double what it's supposed to be.

  • Commit ad1b20b on 7.x-1.x by geerlingguy: 
    Issue #2277089 by geerlingguy: Time limit is double what it's supposed...

  • Commit 53b2183 on 6.x-1.x authored by drupoz, committed by geerlingguy: 
    Issue #2277089 by geerlingguy, drupoz: Time limit is double what it's...
geerlingguy’s picture

geerlingguy CreditAttribution: geerlingguy commented
Version: 7.x-1.x-dev » 8.x-1.x-dev
Status: Needs review » Needs work

Okay, I fixed 7.x-1.x and 6.x-1.x. Moving to 8.x, where I'm going to add tests, then backport the tests to 7.x. Someday I'll be back down to two major versions :P

  • Commit eb7338f on 7.x-1.x by geerlingguy: 
    Issue #2277089: Add test for registration form time-based protection.

  • Commit be6d91d on 8.x-1.x by geerlingguy: 
    Issue #2277089 by geerlingguy: Time limit is double what it's supposed...
geerlingguy’s picture

geerlingguy CreditAttribution: geerlingguy commented
Status: Needs work » Fixed

Fixed in 8.x, 7.x, and 6.x. Thanks for the sleuthing, drupoz, and congrats on your first commit on drupal.org! (see: https://drupal.org/u/drupoz).

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.