diff options
| author |   Theo Chatzimichos <tampakrap@gentoo.org> | 2011-02-09 13:18:42 +0200 |
|---|---|---|
| committer | Theo Chatzimichos <tampakrap@gentoo.org> | 2011-02-09 13:18:42 +0200 |
| commit | 0b8a5c47c3eb22bc9d8aacbae016ae2b7c643131 (patch) | |
| tree | 2f9b8a178c1c968948175cb5fa025cc9812720d7 /plugins/limit-login-attempts | |
| parent | Update akismet to 2.5.1 and smart-youtube to 3.8.3 (diff) | |
| download | blogs-gentoo-0b8a5c47c3eb22bc9d8aacbae016ae2b7c643131.tar.gz blogs-gentoo-0b8a5c47c3eb22bc9d8aacbae016ae2b7c643131.tar.bz2 blogs-gentoo-0b8a5c47c3eb22bc9d8aacbae016ae2b7c643131.zip | |
Updates:
akismet to version 2.5.3
limit-login-attempts to 1.6.0
wp-stats to 1.8.1
wp-syntax to 0.9.9
Diffstat (limited to 'plugins/limit-login-attempts')
| -rwxr-xr-x | plugins/limit-login-attempts/limit-login-attempts.php | 96 | ||||
| -rwxr-xr-x | plugins/limit-login-attempts/readme.txt | 32 | ||||
| -rwxr-xr-x | plugins/limit-login-attempts/screenshot-3.gif | bin | 34265 -> 32901 bytes |
3 files changed, 55 insertions, 73 deletions
diff --git a/plugins/limit-login-attempts/limit-login-attempts.php b/plugins/limit-login-attempts/limit-login-attempts.php index b4756648..38ad97d2 100755 --- a/plugins/limit-login-attempts/limit-login-attempts.php +++ b/plugins/limit-login-attempts/limit-login-attempts.php @@ -5,11 +5,11 @@ Description: Limit rate of login attempts, including by way of cookies, for each IP. Author: Johan Eenfeldt Author URI: http://devel.kostdoktorn.se - Version: 1.5.2 + Version: 1.6.0 - Copyright 2008, 2009, 2010 Johan Eenfeldt + Copyright 2008 - 2011 Johan Eenfeldt - Thanks to Michael Skerwiderski for reverse proxy handling. + Thanks to Michael Skerwiderski for reverse proxy handling suggestions. Licenced under the GNU GPL: @@ -63,12 +63,9 @@ $limit_login_options = , 'long_duration' => 86400 // 24 hours /* Reset failed attempts after this many seconds */ - , 'valid_duration' => 86400 // 24 hours + , 'valid_duration' => 43200 // 12 hours - /* Also limit malformed/forged cookies? - * - * NOTE: Only works in WP 2.7+, as necessary actions were added then. - */ + /* Also limit malformed/forged cookies? */ , 'cookies' => true /* Notify on lockout. Values: '', 'log', 'email', 'log,email' */ @@ -96,8 +93,8 @@ limit_login_setup(); /* Get options and setup filters & actions */ function limit_login_setup() { - load_plugin_textdomain('limit-login-attempts' - , PLUGINDIR.'/'.dirname(plugin_basename(__FILE__))); + load_plugin_textdomain('limit-login-attempts', false + , dirname(plugin_basename(__FILE__))); limit_login_setup_options(); @@ -211,11 +208,19 @@ function limit_login_handle_cookies() { return; } - if (empty($_COOKIE[AUTH_COOKIE]) && empty($_COOKIE[SECURE_AUTH_COOKIE]) - && empty($_COOKIE[LOGGED_IN_COOKIE])) { - return; - } + limit_login_clear_auth_cookie(); +} + + +/* Action: failed cookie login wrapper for limit_login_failed() */ +function limit_login_failed_cookie($cookie_elements) { + limit_login_clear_auth_cookie(); + limit_login_failed($cookie_elements['username']); +} + +/* Make sure auth cookie really get cleared (for this session too) */ +function limit_login_clear_auth_cookie() { wp_clear_auth_cookie(); if (!empty($_COOKIE[AUTH_COOKIE])) { @@ -229,20 +234,13 @@ function limit_login_handle_cookies() { } } - -/* Action: failed cookie login wrapper for limit_login_failed() */ -function limit_login_failed_cookie($arg) { - limit_login_failed($arg); - wp_clear_auth_cookie(); -} - /* * Action when login attempt failed * * Increase nr of retries (if necessary). Reset valid value. Setup * lockout if nr of retries are above threshold. And more! */ -function limit_login_failed($arg) { +function limit_login_failed($username) { $ip = limit_login_get_address(); /* if currently locked-out, do not add to retries */ @@ -302,21 +300,11 @@ function limit_login_failed($arg) { $lockouts[$ip] = time() + limit_login_option('lockout_duration'); } - /* try to find username which failed */ - $user = ''; - if (is_string($arg)) { - /* action: wp_login_failed */ - $user = $arg; - } elseif (is_array($arg) && array_key_exists('username', $arg)) { - /* action: auth_cookie_bad_* */ - $user = $arg['username']; - } - /* do housecleaning and save values */ limit_login_cleanup($retries, $lockouts, $valid); /* do any notification */ - limit_login_notify($user); + limit_login_notify($username); /* increase statistics */ $total = get_option('limit_login_lockouts_total'); @@ -398,13 +386,13 @@ function limit_login_notify_email($user) { * limit_login_option('allowed_lockouts'); $lockouts = limit_login_option('allowed_lockouts'); $time = round(limit_login_option('long_duration') / 3600); - $when = sprintf(__ngettext('%d hour', '%d hours', $time, 'limit-login-attempts'), $time); + $when = sprintf(_n('%d hour', '%d hours', $time, 'limit-login-attempts'), $time); } else { /* normal lockout */ $count = $retries[$ip]; $lockouts = floor($count / limit_login_option('allowed_retries')); $time = round(limit_login_option('lockout_duration') / 60); - $when = sprintf(__ngettext('%d minute', '%d minutes', $time, 'limit-login-attempts'), $time); + $when = sprintf(_n('%d minute', '%d minutes', $time, 'limit-login-attempts'), $time); } $blogname = is_limit_login_multisite() ? get_site_option('site_name') : get_option('blogname'); @@ -486,9 +474,9 @@ function limit_login_error_msg() { $when = ceil(($lockouts[$ip] - time()) / 60); if ($when > 60) { $when = ceil($when / 60); - $msg .= sprintf(__ngettext('Please try again in %d hour.', 'Please try again in %d hours.', $when, 'limit-login-attempts'), $when); + $msg .= sprintf(_n('Please try again in %d hour.', 'Please try again in %d hours.', $when, 'limit-login-attempts'), $when); } else { - $msg .= sprintf(__ngettext('Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts'), $when); + $msg .= sprintf(_n('Please try again in %d minute.', 'Please try again in %d minutes.', $when, 'limit-login-attempts'), $when); } return $msg; @@ -517,7 +505,7 @@ function limit_login_retries_remaining_msg() { } $remaining = max((limit_login_option('allowed_retries') - ($retries[$ip] % limit_login_option('allowed_retries'))), 0); - return sprintf(__ngettext("<strong>%d</strong> attempt remaining.", "<strong>%d</strong> attempts remaining.", $remaining, 'limit-login-attempts'), $remaining); + return sprintf(_n("<strong>%d</strong> attempt remaining.", "<strong>%d</strong> attempts remaining.", $remaining, 'limit-login-attempts'), $remaining); } @@ -634,13 +622,6 @@ function limit_login_track_credentials($user, $password) { * Admin stuff */ -/* Does wordpress version support cookie option? */ -function limit_login_support_cookie_option() { - global $wp_version; - return (version_compare($wp_version, '2.7', '>=')); -} - - /* Make a guess if we are behind a proxy or not */ function limit_login_guess_proxy() { return isset($_SERVER[LIMIT_LOGIN_PROXY_ADDR]) @@ -708,6 +689,8 @@ function limit_login_sanitize_variables() { limit_login_sanitize_simple_int('allowed_lockouts'); limit_login_sanitize_simple_int('long_duration'); + $limit_login_options['cookies'] = !!limit_login_option('cookies'); + $notify_email_after = max(1, intval(limit_login_option('notify_email_after'))); $limit_login_options['notify_email_after'] = min(limit_login_option('allowed_lockouts'), $notify_email_after); @@ -721,11 +704,6 @@ function limit_login_sanitize_variables() { } $limit_login_options['lockout_notify'] = implode(',', $new_args); - $cookies = limit_login_option('cookies') - && limit_login_support_cookie_option() ? true : false; - - $limit_login_options['cookies'] = $cookies; - if ( limit_login_option('client_type') != LIMIT_LOGIN_DIRECT_ADDR && limit_login_option('client_type') != LIMIT_LOGIN_PROXY_ADDR ) { $limit_login_options['client_type'] = LIMIT_LOGIN_DIRECT_ADDR; @@ -760,12 +738,12 @@ function limit_login_show_log($log) { return; } - echo('<tr><th scope="col">' . _c("IP|Internet address", 'limit-login-attempts') . '</th><th scope="col">' . __('Tried to log in as', 'limit-login-attempts') . '</th></tr>'); + echo('<tr><th scope="col">' . _x("IP", "Internet address", 'limit-login-attempts') . '</th><th scope="col">' . __('Tried to log in as', 'limit-login-attempts') . '</th></tr>'); foreach ($log as $ip => $arr) { echo('<tr><td class="limit-login-ip">' . $ip . '</td><td class="limit-login-max">'); $first = true; foreach($arr as $user => $count) { - $count_desc = sprintf(__ngettext('%d lockout', '%d lockouts', $count, 'limit-login-attempts'), $count); + $count_desc = sprintf(_n('%d lockout', '%d lockouts', $count, 'limit-login-attempts'), $count); if (!$first) { echo(', ' . $user . ' (' . $count_desc . ')'); } else { @@ -847,15 +825,6 @@ function limit_login_option_page() { $lockouts = get_option('limit_login_lockouts'); $lockouts_now = is_array($lockouts) ? count($lockouts) : 0; - if (!limit_login_support_cookie_option()) { - $cookies_disabled = ' DISABLED '; - $cookies_note = ' <br /> ' - . __('<strong>NOTE:</strong> Only works in Wordpress 2.7 or later' - , 'limit-login-attempts'); - } else { - $cookies_disabled = ''; - $cookies_note = ''; - } $cookies_yes = limit_login_option('cookies') ? ' checked ' : ''; $cookies_no = limit_login_option('cookies') ? '' : ' checked '; @@ -894,7 +863,7 @@ function limit_login_option_page() { <td> <?php if ($lockouts_total > 0) { ?> <input name="reset_total" value="<?php echo __('Reset Counter','limit-login-attempts'); ?>" type="submit" /> - <?php echo sprintf(__ngettext('%d lockout since last reset', '%d lockouts since last reset', $lockouts_total, 'limit-login-attempts'), $lockouts_total); ?> + <?php echo sprintf(_n('%d lockout since last reset', '%d lockouts since last reset', $lockouts_total, 'limit-login-attempts'), $lockouts_total); ?> <?php } else { echo __('No lockouts yet','limit-login-attempts'); } ?> </td> </tr> @@ -942,8 +911,7 @@ function limit_login_option_page() { <tr> <th scope="row" valign="top"><?php echo __('Handle cookie login','limit-login-attempts'); ?></th> <td> - <label><input type="radio" name="cookies" <?php echo $cookies_disabled . $cookies_yes; ?> value="1" /> <?php echo __('Yes','limit-login-attempts'); ?></label> <label><input type="radio" name="cookies" <?php echo $cookies_disabled . $cookies_no; ?> value="0" /> <?php echo __('No','limit-login-attempts'); ?></label> - <?php echo $cookies_note ?> + <label><input type="radio" name="cookies" <?php echo $cookies_yes; ?> value="1" /> <?php echo __('Yes','limit-login-attempts'); ?></label> <label><input type="radio" name="cookies" <?php echo $cookies_no; ?> value="0" /> <?php echo __('No','limit-login-attempts'); ?></label> </td> </tr> <tr> diff --git a/plugins/limit-login-attempts/readme.txt b/plugins/limit-login-attempts/readme.txt index 101b1313..39b229be 100755 --- a/plugins/limit-login-attempts/readme.txt +++ b/plugins/limit-login-attempts/readme.txt @@ -1,15 +1,15 @@ === Limit Login Attempts ===
Contributors: johanee
Tags: login, security, authentication
-Requires at least: 2.5
-Tested up to: 3.0.1
-Stable tag: 1.5.2
+Requires at least: 2.8
+Tested up to: 3.1-RC1
+Stable tag: 1.6.0
Limit rate of login attempts, including by way of cookies, for each IP.
== Description ==
-Limit the number of login attempts possible both through normal login as well as (WordPress 2.7+) using auth cookies.
+Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
@@ -18,7 +18,7 @@ Limit Login Attempts blocks an Internet address from making further attempts aft Features
* Limit the number of retry attempts when logging in (for each IP). Fully customizable
-* (WordPress 2.7+) Limit the number of attempts to log in using auth cookies in same way
+* Limit the number of attempts to log in using auth cookies in same way
* Informs user about remaining retries or lockout time on login page
* Optional logging, optional email notification
* Handles server behind reverse proxy
@@ -29,14 +29,18 @@ Plugin uses standard actions and filters only. == Installation ==
-1. Download and extract plugin files to a folder in your wp-content/plugin directory.
+1. Download and extract plugin files to a wp-content/plugin directory.
2. Activate the plugin through the WordPress admin interface.
-3. Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
+3. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
If you have any questions or problems please make a post here: http://wordpress.org/tags/limit-login-attempts
== Frequently Asked Questions ==
+= Why not reset failed attempts on a successful login? =
+
+This is very much by design. Otherwise you could brute force the "admin" password by logging in as your own user every 4th attempt.
+
= What is this option about site connection and reverse proxy? =
A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.
@@ -59,11 +63,21 @@ If you have access to the database (for example through phpMyAdmin) you can clea 1. Loginscreen after failed login with retries remaining
2. Loginscreen during lockout
-3. Administration interface in WordPress 2.7
-4. Administration interface in WordPress 2.5
+3. Administration interface in WordPress 3.0.4
== Changelog ==
+= 1.6.0 =
+* Happy New Year
+* Tested against WordPress 3.1-RC1
+* Plugin now requires WordPress version 2.8+. Of course you should never ever use anything but the latest version
+* Fixed deprecation warnings that had been piling up with the old version requirement. Thanks to Johannes Ruthenberg for the report that prompted this
+* Removed auth cookie admin check for version 2.7.
+* Make sure relevant values in $_COOKIE get cleared right away on auth cookie validation failure. There are still some problems with cookie auth handling. The lockout can trigger prematurely in rare cases, but fixing it is plugin version 2 stuff unfortunately.
+* Changed default time for retries to reset from 24 hours to 12 hours. The security impact is very minor and it means the warning will disappear "overnight"
+* Added question to FAQ ("Why not reset failed attempts on a successful login?")
+* Updated screenshots
+
= 1.5.2 =
* Reverted minor cookie-handling cleanup which might somehow be responsible for recently reported cookie related lockouts
* Added version 1.x Brazilian Portuguese translation, thanks to Luciano Passuello
diff --git a/plugins/limit-login-attempts/screenshot-3.gif b/plugins/limit-login-attempts/screenshot-3.gif Binary files differindex 6a8f6c1e..d86e2159 100755 --- a/plugins/limit-login-attempts/screenshot-3.gif +++ b/plugins/limit-login-attempts/screenshot-3.gif |
