[SECURITY] Prevent time based information disclosure

To prevent a time based information disclosure in backend password reset, this patch adds a random delay between 200 milliseconds and 3 seconds before sending the response to the client. Resolves: #91243 Releases: master Change-Id: I0362db283145e0bed414ecdb06fff81b2cff0d4b Security-Bulletin: TYPO3-CORE-SA-2020-001 Security-References: CVE-2020-11063 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64466 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

[SECURITY] Prevent time based information disclosure
To prevent a time based information disclosure in backend password reset, this patch adds a random delay between 200 milliseconds and 3 seconds before sending the response to the client. Resolves: #91243 Releases: master Change-Id: I0362db283145e0bed414ecdb06fff81b2cff0d4b Security-Bulletin: TYPO3-CORE-SA-2020-001 Security-References: CVE-2020-11063 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64466 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
14929b98 · Frank Naegler · Oliver Hader · dcac1c70 · 14929b98
Commit 14929b98 authored 4 years ago by Frank Naegler Committed by Oliver Hader 4 years ago
--- a/typo3/sysext/backend/Classes/Controller/LoginController.php
+++ b/typo3/sysext/backend/Classes/Controller/LoginController.php
@@ -211,6 +211,11 @@ class LoginController implements LoggerAwareInterface
            $this->view->assign('resetInitiated', true);
        }
        $this->moduleTemplate->setContent($this->view->render());
+        // Prevent time based information disclosure by waiting a random time
+        // before sending a response. This prevents that the reponse time
+        // can be an indicator if the used email exists or not.
+        // wait a random time between 200 milliseconds and 3 seconds.
+        usleep(random_int(200000, 3000000));
        return new HtmlResponse($this->moduleTemplate->renderContent());
    }