Merge pull request #36576 from nextcloud/backport/36489/stable22

blizzz · web-flow · commit 33329a50b8ef · 2023-02-07T10:09:50.000+01:00
[stable22] Add bruteforce protection to password reset page
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
@@ -128,6 +128,8 @@ public function __construct(
 	 *
 	 * @PublicPage
 	 * @NoCSRFRequired
+	 * @BruteForceProtection(action=passwordResetEmail)
+	 * @AnonRateThrottle(limit=10, period=300)
 	 *
 	 * @param string $token
 	 * @param string $userId
@@ -141,12 +143,14 @@ public function resetform($token, $userId) {
 				|| ($e instanceof InvalidTokenException
 					&& !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
 			) {
-				return new TemplateResponse(
+				$response = new TemplateResponse(
 					'core', 'error', [
 						"errors" => [["error" => $e->getMessage()]]
 					],
 					TemplateResponse::RENDER_AS_GUEST
 				);
+				$response->throttle();
+				return $response;
 			}
 			return new TemplateResponse('core', 'error', [
 				'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
diff --git a/tests/Core/Controller/LostControllerTest.php b/tests/Core/Controller/LostControllerTest.php
@@ -165,6 +165,7 @@ public function testResetFormTokenError() {
 				]
 			],
 			'guest');
+		$expectedResponse->throttle();
 		$this->assertEquals($expectedResponse, $response);
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,7 @@ public function testResetFormTokenError() {`
`165`	`165`	`]`
`166`	`166`	`],`
`167`	`167`	`'guest');`
	`168`	`+ $expectedResponse->throttle();`
`168`	`169`	`$this->assertEquals($expectedResponse, $response);`
`169`	`170`	`}`
`170`	`171`