Skip to content

Commit

Permalink
Merge pull request from GHSA-9358-cpvx-c2qp
Browse files Browse the repository at this point in the history
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
  • Loading branch information
colinmollenhour and fballiano authored Aug 29, 2023
1 parent 621f21f commit 2a2a2fb
Show file tree
Hide file tree
Showing 6 changed files with 73 additions and 38 deletions.
35 changes: 35 additions & 0 deletions app/code/core/Mage/Core/Helper/Data.php
Original file line number Diff line number Diff line change
Expand Up @@ -1000,4 +1000,39 @@ public function unEscapeCSVData($data)
}
return $data;
}

/**
* @param bool $setErrorMessage Adds a predefined error message to the 'core/session' object
* @return bool
*/
public function isRateLimitExceeded($setErrorMessage = true, $recordRateLimitHit = true): bool
{
$active = Mage::getStoreConfigFlag('system/rate_limit/active');
if ($active && $remoteAddr = Mage::helper('core/http')->getRemoteAddr()) {
$cacheTag = 'rate_limit_' . $remoteAddr;
if (Mage::app()->testCache($cacheTag)) {
$errorMessage = "Too Soon: You are trying to perform this operation too frequently. Please wait a few seconds and try again.";
Mage::getSingleton('core/session')->addError($this->__($errorMessage));
return true;
}

if ($recordRateLimitHit) {
$this->recordRateLimitHit();
}
}

return false;
}

/**
* @return void
*/
public function recordRateLimitHit(): void
{
$active = Mage::getStoreConfigFlag('system/rate_limit/active');
if ($active && $remoteAddr = Mage::helper('core/http')->getRemoteAddr()) {
$cacheTag = 'rate_limit_' . $remoteAddr;
Mage::app()->saveCache(1, $cacheTag, ['brute_force'], Mage::getStoreConfig('system/rate_limit/timeframe'));
}
}
}
4 changes: 4 additions & 0 deletions app/code/core/Mage/Core/etc/config.xml
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,10 @@
<csrf>
<use_form_key>1</use_form_key>
</csrf>
<rate_limit>
<active>1</active>
<timeframe>30</timeframe>
</rate_limit>
<cache>
<flush_cron_expr>30 2 * * *</flush_cron_expr>
</cache>
Expand Down
63 changes: 27 additions & 36 deletions app/code/core/Mage/Core/etc/system.xml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,33 @@
</use_form_key>
</fields>
</csrf>
<rate_limit translate="label comment" module="core">
<label>Rate limit</label>
<sort_order>10</sort_order>
<show_in_default>1</show_in_default>
<show_in_website>1</show_in_website>
<show_in_store>1</show_in_store>
<comment>This functionality limits the number of requests a user (identified by IP address) can perform within a specific time frame, preventing excessive resources usage and maintaining system performance, stability and security.</comment>
<fields>
<active translate="label">
<label>Enabled</label>
<frontend_type>select</frontend_type>
<source_model>adminhtml/system_config_source_yesno</source_model>
<sort_order>10</sort_order>
<show_in_default>1</show_in_default>
<show_in_website>1</show_in_website>
<show_in_store>1</show_in_store>
</active>
<timeframe translate="label comment">
<label>Timeframe</label>
<sort_order>20</sort_order>
<show_in_default>1</show_in_default>
<show_in_website>1</show_in_website>
<show_in_store>1</show_in_store>
<comment>Number of seconds between each allowed request.</comment>
</timeframe>
</fields>
</rate_limit>
<cache translate="label" module="core">
<label>Advanced Cache Settings</label>
<sort_order>1000</sort_order>
Expand All @@ -69,13 +96,6 @@
</cache>
</groups>
</system>
<!--<web_track translate="label" module="core">
<label>Web Tracking</label>
<sort_order>180</sort_order>
<show_in_default>1</show_in_default>
<show_in_website>1</show_in_website>
<show_in_store>1</show_in_store>
</web_track>-->
<advanced translate="label" module="core">
<label>Advanced</label>
<tab>advanced</tab>
Expand All @@ -84,35 +104,6 @@
<show_in_website>1</show_in_website>
<show_in_store>1</show_in_store>
<groups>
<!--datashare translate="label">
<label>Datasharing</label>
<sort_order>1</sort_order>
<show_in_default>1</show_in_default>
<show_in_website>1</show_in_website>
<show_in_store>0</show_in_store>
<fields>
<default translate="label">
<label>Default</label>
<frontend_type>multiselect</frontend_type>
<backend_model>adminhtml/system_config_backend_datashare</backend_model>
<source_model>adminhtml/system_config_source_store</source_model>
<sort_order>1</sort_order>
<show_in_default>1</show_in_default>
<show_in_website>1</show_in_website>
<show_in_store>1</show_in_store>
</default>
<default translate="label">
<label>Default</label>
<frontend_type>multiselect</frontend_type>
<backend_model>adminhtml/system_config_backend_datashare</backend_model>
<source_model>adminhtml/system_config_source_store</source_model>
<sort_order>1</sort_order>
<show_in_default>1</show_in_default>
<show_in_website>1</show_in_website>
<show_in_store>1</show_in_store>
</default>
</fields>
</datashare-->
<modules_disable_output translate="label">
<label>Disable Modules Output</label>
<frontend_model>adminhtml/system_config_form_fieldset_modules_disableOutput</frontend_model>
Expand Down
6 changes: 5 additions & 1 deletion app/code/core/Mage/Sales/Helper/Guest.php
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ public function loadValidOrder()
$errors = true;
}
} else {
Mage::helper('core')->recordRateLimitHit();
$errors = true;
}
}
Expand All @@ -114,7 +115,10 @@ public function loadValidOrder()
return true;
}

Mage::getSingleton('core/session')->addError($this->__($errorMessage));
if (!Mage::helper('core')->isRateLimitExceeded(true, false)) {
Mage::getSingleton('core/session')->addError($this->__($errorMessage));
}

Mage::app()->getResponse()->setRedirect(Mage::getUrl('sales/guest/form'));
return false;
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Sales/Model/Order.php
Original file line number Diff line number Diff line change
Expand Up @@ -2372,7 +2372,7 @@ protected function _beforeSave()
}

if (!$this->getId()) {
$this->setData('protect_code', substr(md5(uniqid(mt_rand(), true) . ':' . microtime(true)), 5, 6));
$this->setData('protect_code', Mage::helper('core')->getRandomString(16));
}

if ($this->getStatus() !== $this->getOrigData('status')) {
Expand Down
1 change: 1 addition & 0 deletions app/locale/en_US/Mage_Core.csv
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,7 @@
"Timezone","Timezone"
"Title Prefix","Title Prefix"
"Title Suffix","Title Suffix"
"Too Soon: You are trying to perform this operation too frequently. Please wait a few seconds and try again.","Too Soon: You are trying to perform this operation too frequently. Please wait a few seconds and try again."
"Transactional Emails","Transactional Emails"
"Translate Inline","Translate Inline"
"Translate, blocks and other output caches should be disabled for both frontend and admin inline translations.","Translate, blocks and other output caches should be disabled for both frontend and admin inline translations."
Expand Down

0 comments on commit 2a2a2fb

Please sign in to comment.