login-security-solution
Opened 14 years ago
Closed 14 years ago
#1549 closed defect (fixed)
Possible error in sleep logic
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Severity: | normal |
| Plugin: | login-security-solution | Keywords: | delay, sleep, wait, logic error |
| Cc: | deanmarktaylor |
Description
There may be a logic error in the expectations for the duration of sleep within the process_login_fail function.
As commented by convissor within ticket #1548 the line $sleep = 0 is "needed" from the below code taken from 0.14.0.
But in each though the if, else and elseif the value always gets replaced with a random value between 1 and 60.
Is this expected?
$sleep = 0;
if ($fails['total'] < $this->options['login_fail_tier_2']) {
// Use random, overlapping sleep times to complicate profiling.
$sleep = rand(1, 7);
} elseif ($fails['total'] < $this->options['login_fail_tier_3']) {
$sleep = rand(4, 30);
} else {
$sleep = rand(25, 60);
}
Is there a case where $sleep is expected to be zero?
As further down it is tested for:
if ($sleep) {
Note: See
TracTickets for help on using
tickets.
You're right. Fixed in release 0.15.0.