From 37457391585f59010b0936b9233a25bd32d79d31 Mon Sep 17 00:00:00 2001 From: iglocska Date: Sat, 19 Feb 2022 01:42:24 +0100 Subject: [PATCH] chg: [flood protection] Changed the description of the setting based on the used IP source - added a warning about the IP source setting affecting the efficacy of the flood protection in regards to an attacker being potentially able to spoof their IP - Warn the admin to make sure that the reverse proxy used (the main reason to use the alternate headers in the first place) needs to be configured to correctly overwrite the header - as reported by Dawid Czarnecki of Zigrin Security --- .../Table/SettingProviders/CerebrateSettingsProvider.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php index a2102e5..908d9aa 100644 --- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php +++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php @@ -8,6 +8,7 @@ require_once(APP . 'Model' . DS . 'Table' . DS . 'SettingProviders' . DS . 'Base use App\Settings\SettingsProvider\BaseSettingsProvider; use App\Settings\SettingsProvider\SettingValidator; +use Cake\Core\Configure; class CerebrateSettingsProvider extends BaseSettingsProvider { @@ -300,7 +301,9 @@ class CerebrateSettingsProvider extends BaseSettingsProvider 'security.registration.floodProtection' => [ 'name' => __('Enable registration flood-protection'), 'type' => 'boolean', - 'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'), + 'description' => (Configure::check('security.logging.ip_source') && Configure::read('security.logging.ip_source') !== 'REMOTE_ADDR') ? + __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame). WARNING: Be aware that you are not using REMOTE_ADDR (as configured via security.logging.ip_source) - this could lead to an attacker being able to spoof their IP and circumvent the flood protection. Only rely on the client IP if your reverse proxy in front of Cerebrate is properly setting this header.'): + __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'), 'default' => true, ], ]