recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they typed some text earlier

Summary:
Depends on D20017. Ref T13222. Currently, if you:

- type some text at a TOTP gate;
- wait ~60 seconds for the challenge to expire;
- submit the form into a "Wait patiently" message; and
- mash that wait button over and over again very patiently

...you still rack up rate limiting points, because the hidden text from your original request is preserved and triggers the "is the user responding to a challenge" test. Only perform this test if we haven't already decided that we're going to make them wait.

Test Plan:
- Did the above; before patch: rate limited; after patch: not rate limited.
- Intentionally typed a bunch of bad answers which were actually evaluated: rate limited properly.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20018

epriestley e91bc26d bb20c136

+9
+9
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
··· 557 557 // Limit factor verification rates to prevent brute force attacks. 558 558 $any_attempt = false; 559 559 foreach ($factors as $factor) { 560 + $factor_phid = $factor->getPHID(); 561 + 560 562 $provider = $factor->getFactorProvider(); 561 563 $impl = $provider->getFactor(); 564 + 565 + // If we already have a result (normally "wait..."), we won't try 566 + // to validate whatever the user submitted, so this doesn't count as 567 + // an attempt for rate limiting purposes. 568 + if (isset($validation_results[$factor_phid])) { 569 + continue; 570 + } 562 571 563 572 if ($impl->getRequestHasChallengeResponse($factor, $request)) { 564 573 $any_attempt = true;