Merge pull request #10679 from snipe/fixes/timing_attack_mitigation_for_forgot_password

Added usleep random to forgotten password method to mitigate timing attacks
This commit is contained in:
snipe 2022-02-16 11:17:00 -07:00 committed by GitHub
commit 4f89dfee49
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -87,6 +87,8 @@ class ForgotPasswordController extends Controller
\Log::info('Password reset attempt: User '.$request->input('username').'failed with exception: '.$e );
}
// Prevent timing attack to enumerate users.
usleep(500000 + random_int(0, 1500000));
if ($response === \Password::RESET_LINK_SENT) {
\Log::info('Password reset attempt: User '.$request->input('username').' WAS found, password reset sent');