|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2, 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (1 fixed, 26 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -155,6 +155,27 @@
|
|
|
multiplies allowed attempts by N silently. No persistent (DB / Redis)
|
|
|
backing.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `d119b72`. State moved behind a `ThrottleStore`
|
|
|
+ abstraction; production wires `FileThrottleStore`, a flock-protected
|
|
|
+ JSON file under `sys_get_temp_dir()` (overridable via
|
|
|
+ `LOGIN_THROTTLE_PATH`). All FrankenPHP workers in one container share
|
|
|
+ the same file: counters survive worker recycle and a single counter
|
|
|
+ is incremented across the worker pool. Mutations take an exclusive
|
|
|
+ lock on a sibling `.lock` file and write through a temp file + rename,
|
|
|
+ so readers always see a consistent snapshot. Stale entries
|
|
|
+ (`lockedUntil + 24 h < now`) are GC'd opportunistically. The file
|
|
|
+ lives on the container's ephemeral writable layer, so a container
|
|
|
+ restart still clears it — preserving the documented operator-unlock
|
|
|
+ path. Multi-replica deployments still require sticky-LB mode (SPEC's
|
|
|
+ documented topology). Regression tests in
|
|
|
+ `ui/tests/Unit/Auth/FileThrottleStoreTest.php`
|
|
|
+ (`testFailureRecordedOnOneInstanceIsVisibleToAnother`,
|
|
|
+ `testClearOnOneInstanceIsVisibleToAnother`,
|
|
|
+ `testCorruptFileIsTreatedAsEmpty`,
|
|
|
+ `testStaleEntriesGarbageCollected`,
|
|
|
+ `testWritesGoThroughTempPlusRename`,
|
|
|
+ `testResetUnlinksFile`) and
|
|
|
+ `LocalLoginTest::testFailuresArePersistedToConfiguredFilePath`.
|
|
|
|
|
|
### F7 — Username enumeration via response timing on local login
|
|
|
- **File:** `ui/src/Auth/LocalLoginController.php:77-78`
|
chiappa