yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

U4-10123 Make sure the backoffice login is not susceptible to DOS attacks

Browse Source
This commit is contained in:
Shannon
2017-07-25 19:40:30 +10:00
parent c5e7e1e39e
commit 1ccc8cc161
2 changed files with 23 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/Umbraco.Web/Models/LoginModel.cs
View File

@@ -10,7 +10,8 @@ namespace Umbraco.Web.Models
public string Username { get; set; }
[Required]
[DataMember(Name = "password", IsRequired = true)]
[DataMember(Name = "password", IsRequired = true)]
[StringLength(maximumLength:256)]
public string Password { get; set; }
}

30
src/Umbraco.Web/Security/Identity/FormsAuthenticationSecureDataFormat.cs
View File

@@ -63,17 +63,29 @@ namespace Umbraco.Web.Security.Identity
return null;
}
var identity = new UmbracoBackOfficeIdentity(decrypt);
var ticket = new AuthenticationTicket(identity, new AuthenticationProperties
try
{
ExpiresUtc = decrypt.Expiration.ToUniversalTime(),
IssuedUtc = decrypt.IssueDate.ToUniversalTime(),
IsPersistent = decrypt.IsPersistent,
AllowRefresh = true
});
var identity = new UmbracoBackOfficeIdentity(decrypt);
return ticket;
var ticket = new AuthenticationTicket(identity, new AuthenticationProperties
{
ExpiresUtc = decrypt.Expiration.ToUniversalTime(),
IssuedUtc = decrypt.IssueDate.ToUniversalTime(),
IsPersistent = decrypt.IsPersistent,
AllowRefresh = true
});
return ticket;
}
catch (JsonReaderException)
{
//catch this and return null if the json is invalid
//NOTE: This will happen when running on local host and developing on 7.6 and 7.7+ because 7.7 has a different
// auth ticket format.
return null;
}
}
}
}