Commit 0caa4a25 authored by Stefano Sanfilippo's avatar Stefano Sanfilippo

Moving rate limit after password check to avoid /macupdate DoS

parent a721718c
......@@ -373,11 +373,6 @@ class MACUpdateHandler(BaseHandler):
def post(self):
now = datetime.now()
if (now - MACUpdateHandler.LAST_ATTEMPT) < timedelta(seconds=options.mac_update_interval):
LOG.warning("Too frequent attempts to update, remote IP address is {}".format(self.request.remote_ip))
raise HTTPError(403, "Too frequent")
else:
MACUpdateHandler.LAST_ATTEMPT = now
try:
password = self.get_argument("password")
......@@ -390,6 +385,12 @@ class MACUpdateHandler(BaseHandler):
LOG.warning("Client provided wrong password for MAC update!")
raise HTTPError(403, "Wrong password")
if (now - MACUpdateHandler.LAST_ATTEMPT) < timedelta(seconds=options.mac_update_interval):
LOG.warning("Too frequent attempts to update, remote IP address is {}".format(self.request.remote_ip))
raise HTTPError(403, "Too frequent")
else:
MACUpdateHandler.LAST_ATTEMPT = now
LOG.info("Authorized request to update list of checked-in users from IP address {}".format(self.request.remote_ip))
macs = json.loads(macs)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment