From 2fd8cf4b15f511f866dabacaf788e18e59eff1fd Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 30 Nov 2023 12:52:35 +0100 Subject: [PATCH] fix(bruteforce-protection): Don't throw a 500 when MaxDelayReached is thrown Signed-off-by: Joas Schilling --- index.php | 17 +++++++++++++++++ ocs/v1.php | 6 +++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/index.php b/index.php index 7b62f17e5bd58..cf6329f6e53d5 100644 --- a/index.php +++ b/index.php @@ -30,6 +30,8 @@ */ require_once __DIR__ . '/lib/versioncheck.php'; +use OCP\Security\Bruteforce\MaxDelayReached; + try { require_once __DIR__ . '/lib/base.php'; @@ -67,6 +69,21 @@ exit(); } OC_Template::printErrorPage($ex->getMessage(), $ex->getMessage(), 401); +} catch (MaxDelayReached $ex) { + $request = \OC::$server->getRequest(); + /** + * Routes with the @CORS annotation and other API endpoints should + * not return a webpage, so we only print the error page when html is accepted, + * otherwise we reply with a JSON array like the BruteForceMiddleware would do. + */ + if (stripos($request->getHeader('Accept'), 'html') === false) { + http_response_code(429); + header('Content-Type: application/json; charset=utf-8'); + echo json_encode(['message' => $ex->getMessage()]); + exit(); + } + http_response_code(429); + OC_Template::printGuestPage('core', '429'); } catch (Exception $ex) { \OC::$server->getLogger()->logException($ex, ['app' => 'index']); diff --git a/ocs/v1.php b/ocs/v1.php index 055398993729a..55e9f426aba8d 100644 --- a/ocs/v1.php +++ b/ocs/v1.php @@ -41,8 +41,9 @@ exit; } -use Symfony\Component\Routing\Exception\ResourceNotFoundException; +use OCP\Security\Bruteforce\MaxDelayReached; use Symfony\Component\Routing\Exception\MethodNotAllowedException; +use Symfony\Component\Routing\Exception\ResourceNotFoundException; /* * Try the appframework routes @@ -62,6 +63,9 @@ } OC::$server->get(\OC\Route\Router::class)->match('/ocsapp'.\OC::$server->getRequest()->getRawPathInfo()); +} catch (MaxDelayReached $ex) { + $format = \OC::$server->getRequest()->getParam('format', 'xml'); + OC_API::respond(new \OC\OCS\Result(null, OCP\AppFramework\Http::STATUS_TOO_MANY_REQUESTS, $ex->getMessage()), $format); } catch (ResourceNotFoundException $e) { OC_API::setContentType();