From 14929b98ecda0ce67329b0f25ca7c01ee85df574 Mon Sep 17 00:00:00 2001
From: Frank Naegler <frank.naegler@typo3.org>
Date: Tue, 12 May 2020 11:21:38 +0200
Subject: [PATCH] [SECURITY] Prevent time based information disclosure

To prevent a time based information disclosure in backend password reset,
this patch adds a random delay between 200 milliseconds and 3 seconds
before sending the response to the client.

Resolves: #91243
Releases: master
Change-Id: I0362db283145e0bed414ecdb06fff81b2cff0d4b
Security-Bulletin: TYPO3-CORE-SA-2020-001
Security-References: CVE-2020-11063
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64466
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 typo3/sysext/backend/Classes/Controller/LoginController.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/typo3/sysext/backend/Classes/Controller/LoginController.php b/typo3/sysext/backend/Classes/Controller/LoginController.php
index f834c2e2e3fe..7372f714b739 100644
--- a/typo3/sysext/backend/Classes/Controller/LoginController.php
+++ b/typo3/sysext/backend/Classes/Controller/LoginController.php
@@ -211,6 +211,11 @@ class LoginController implements LoggerAwareInterface
             $this->view->assign('resetInitiated', true);
         }
         $this->moduleTemplate->setContent($this->view->render());
+        // Prevent time based information disclosure by waiting a random time
+        // before sending a response. This prevents that the reponse time
+        // can be an indicator if the used email exists or not.
+        // wait a random time between 200 milliseconds and 3 seconds.
+        usleep(random_int(200000, 3000000));
         return new HtmlResponse($this->moduleTemplate->renderContent());
     }
 
-- 
GitLab