From a15d877ba8e12ba6659aad69d63b8b73256144ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 11 Nov 2015 12:53:43 -0500
Subject: [PATCH] Added brute-force attack prevention via login rate limit (#1490566)

---
 program/include/rcmail.php |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 21ba812..bdf9405 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -60,6 +60,7 @@
     const ERROR_INVALID_REQUEST  = 1;
     const ERROR_INVALID_HOST     = 2;
     const ERROR_COOKIES_DISABLED = 3;
+    const ERROR_RATE_LIMIT       = 4;
 
 
     /**
@@ -602,12 +603,22 @@
         // user already registered -> overwrite username
         if ($user = rcube_user::query($username, $host)) {
             $username = $user->data['username'];
+
+            // Brute-force prevention
+            if ($user->is_locked()) {
+                $this->login_error = self::ERROR_RATE_LIMIT;
+                return false;
+            }
         }
 
         $storage = $this->get_storage();
 
         // try to log in
         if (!$storage->connect($host, $username, $password, $port, $ssl)) {
+            if ($user) {
+                $user->failed_login();
+            }
+
             // Wait a second to slow down brute-force attacks (#1490549)
             sleep(1);
             return false;

--
Gitblit v1.9.1