diff options
author | Koosha Khajeh Moogahi <koosha.khajeh@gmail.com> | 2012-04-13 01:09:54 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-04-13 01:09:54 +0200 |
commit | 56414122a1bde2bd45b2bba590ee8f1a6bb40648 (patch) | |
tree | 49897716ef5b060aed2c9f61de5bcc05bb7f2d83 /Bugzilla | |
parent | 0354373916176c202632a7cb8965b1afd578ab8d (diff) | |
download | bugs-56414122a1bde2bd45b2bba590ee8f1a6bb40648.tar bugs-56414122a1bde2bd45b2bba590ee8f1a6bb40648.tar.gz bugs-56414122a1bde2bd45b2bba590ee8f1a6bb40648.tar.bz2 bugs-56414122a1bde2bd45b2bba590ee8f1a6bb40648.tar.xz bugs-56414122a1bde2bd45b2bba590ee8f1a6bb40648.zip |
Bug 349337: The time between two successive token requests should be a constant
r/a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r-- | Bugzilla/Constants.pm | 5 | ||||
-rw-r--r-- | Bugzilla/Token.pm | 6 |
2 files changed, 8 insertions, 3 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 279405c74..e4d32d435 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -140,6 +140,7 @@ use Memoize; MAX_SUDO_TOKEN_AGE MAX_LOGIN_ATTEMPTS LOGIN_LOCKOUT_INTERVAL + ACCOUNT_CHANGE_INTERVAL MAX_STS_AGE SAFE_PROTOCOLS @@ -409,6 +410,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5; # account is locked. use constant LOGIN_LOCKOUT_INTERVAL => 30; +# The time in minutes a user must wait before he can request another email to +# create a new account or change his password. +use constant ACCOUNT_CHANGE_INTERVAL => 10; + # The maximum number of seconds the Strict-Transport-Security header # will remain valid. Default is one week. use constant MAX_STS_AGE => 604800; diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index a9d9b3bd8..feb707e70 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -46,7 +46,7 @@ sub issue_new_user_account_token { # Is there already a pending request for this login name? If yes, do not throw # an error because the user may have lost his email with the token inside. # But to prevent using this way to mailbomb an email address, make sure - # the last request is at least 10 minutes old before sending a new email. + # the last request is old enough before sending a new email (default: 10 minutes). my $pending_requests = $dbh->selectrow_array( 'SELECT COUNT(*) @@ -54,7 +54,7 @@ sub issue_new_user_account_token { WHERE tokentype = ? AND ' . $dbh->sql_istrcmp('eventdata', '?') . ' AND issuedate > ' - . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'), + . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'), undef, ('account', $login_name)); ThrowUserError('too_soon_for_new_token', {'type' => 'account'}) if $pending_requests; @@ -122,7 +122,7 @@ sub IssuePasswordToken { 'SELECT 1 FROM tokens WHERE userid = ? AND tokentype = ? AND issuedate > ' - . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'), + . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'), undef, ($user->id, 'password')); ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon; |