As mentioned in the thoughts (private ones[1]), someone has been having trouble logging into the forum.
I looked into it, reset their password, and it still didn't work... They got a brute force warning.
Now, here's the thing. I remembered that Pete had committed some SMF fixes for Wedge, regarding brute force issues, and I'm thinking, that's where the problem lies -- in this fix.
So, is it an SMF bug, or a Wedge bug..?
The SMF 2.1 rewrite:
Code: [Select]
The Wedge rewrite:
Code: [Select]
From what I understand: first one means, "if recorded flood timestamp is older than 20 seconds ago, reset it to 2, otherwise don't touch it.
Second one means the exact opposite... Meaning, once the flood record is older than 20 seconds, the user is forever locked out of the forum.
It took me an hour to finally find the culprit, and I'd like to know what exactly went into this rewrite..?
Also, the Elk version is cleaner, and much shorter...
Code: [Select]
Finally, a note about the code that tests the timestamp and resets it if it's too recent.. (?)
In SMF 2.1:
Code: [Select]
(Means "if time stamp is older than 10 seconds...")
in Wedge:
Code: [Select]
(Means "if time stamp is more recent than 10 seconds ago...")
I'm inclined to believe the Wedge version is the correct one here, but honestly, I have no fucking idea. I'm just not comfortable enough with the whole validatePasswordFlood function, to be clear. I understand what it does, but not the magic of it.
So, err... Need your opinion, guys..?
Hopefully Pete sees this topic through the magic of 3G, or something... :^^;:
Additional note...
Looks like I can login with my hardcoded flood value, but it doesn't get reset to nothing, so I'm still with the same flood value after that... (?!)
I looked into it, reset their password, and it still didn't work... They got a brute force warning.
Now, here's the thing. I remembered that Pete had committed some SMF fixes for Wedge, regarding brute force issues, and I'm thinking, that's where the problem lies -- in this fix.
So, is it an SMF bug, or a Wedge bug..?
The SMF 2.1 rewrite:
$number_tries = $time_stamp < time() - 20 ? 2 : $number_tries;The Wedge rewrite:
$number_tries = time() - $time_stamp < 20 ? 2 : $number_tries;From what I understand: first one means, "if recorded flood timestamp is older than 20 seconds ago, reset it to 2, otherwise don't touch it.
Second one means the exact opposite... Meaning, once the flood record is older than 20 seconds, the user is forever locked out of the forum.
It took me an hour to finally find the culprit, and I'd like to know what exactly went into this rewrite..?
Also, the Elk version is cleaner, and much shorter...
// Timestamp invalid or non-existent?
if (empty($number_tries) || $time_stamp < (time() - 10))
{
// If it wasn't *that* long ago, don't give them another five goes.
$number_tries = !empty($number_tries) && $time_stamp < (time() - 20) ? 2 : 0;
$time_stamp = time();
}Finally, a note about the code that tests the timestamp and resets it if it's too recent.. (?)
In SMF 2.1:
if ($time_stamp < time() - 10)(Means "if time stamp is older than 10 seconds...")
in Wedge:
if (time() - $time_stamp < 10)(Means "if time stamp is more recent than 10 seconds ago...")
I'm inclined to believe the Wedge version is the correct one here, but honestly, I have no fucking idea. I'm just not comfortable enough with the whole validatePasswordFlood function, to be clear. I understand what it does, but not the magic of it.
So, err... Need your opinion, guys..?
Hopefully Pete sees this topic through the magic of 3G, or something... :^^;:
Posted: July 18th, 2013, 12:08 AM
Additional note...
Looks like I can login with my hardcoded flood value, but it doesn't get reset to nothing, so I'm still with the same flood value after that... (?!)
| 1. | I thought that using a public topic for this was okay, because I'm not going into specifics with the source code, and it's close enough to the SMF version anyway, which is freely available on github, so... |
