aorimn / dokuwiki-tokenbucketauth Goto Github PK

I have an install on Greebo – which I should update – that at some point has stopped sending emails when it blocks an IP address. I can't find a mechanism to test; other emails from the wiki are working, however. Looking at the code the plugin is calling mail_send, which appears to be deprecated from Hogfather – so it will definitely stop working if I upgrade. I can't see why it's not working under Greebo though, as that function is still there?

Grateful for any help to get notified when someone locks themselves out!

Hello ,

I get many of the following entries in the "deprecated" logs.
(I'm running Jack Jackrum):

2023-06-19 12:55:53require(admin.php) is deprecated. It was called from require() in /var/www/html/usrnm-dokuwiki/lib/plugins/tokenbucketauth/admin.php:13 Autoloading should be used instead!

It would be great if this could be fixed I guess (I'm not familiar with what these log entries mean, sorry). The plugin still seems to work for now, though.

Best,
-a-

Hi,

I tested the plugin in weatherwax.
I setup the following in configuration settings (admin account):
tba_block_time: 600
tba_nb_attempt: 3
tba_mean_time: 300

If I enter 3 times in a row a wrong password together with a given user name. I then get an email telling me the corresponding IP address is now blocked. However, I can immediately login successfully if I proved the correct password for that username.

So, to me it seems like the plugin is doing nothing since brute-force attacks could still be successful.

I can provide the list of plugins that I have installed if you think there might be a conflict or something.

Best,
-a-
PS:
I get the same behavior in Binky.

This extension does not work with the latest dokuwiki version. It could be nice to either update it or at least warn users that it will break their install.

Hi :)

I am currently running Greebo and considering upgrading to Hogfather.
Is this plugin compatible with Hogfather?

Thanks
-a-

Hello,

Nice plugin, thank you.

I have found a small problem though. when an IP has never been seen, $ts = $this->users_tracker[$ip]; is NULL, and trying to loop on NULL a few lines later, emits an « invalid argument for foreach » warning that I can't prevent at my webhoster

I could solve this by replacing line 121

foreach($ts as $onets)

with

if($ts) foreach($ts as $onets)

/Schplurtz

Hi again.

I found another issue with tokenbucketauth. This problem only appears
after DokuWiki configuration manager is used. tba/action.php expects,
$conf['plugin']['tokenbucketauth']['tba_whitelist'] to be an array
but, it is not possible to save arrays using DokuWiki configuration manager.
https://www.dokuwiki.org/devel:configuration#configuration_metadata mentions
only scalar values : string, boolean, number.

As soon as DW configuration manager is used, DW tries to convert whitelist
default value to a string and fails. This may pass unnoticed
though, if one wants to set something else and does not scroll down to tba
settings.

The result, is that, either a default empty value or the user entered value
is stored in dw/conf/local.php as a string, not an array.

When one tries to log in, tba/action.php is really unhappy line 89, as
shown here

My solution to this problem is to

1. set '127.0.0.1' as default value (not array( '127.0.0.1')) in tba/conf/default.php
2. Change line 89 of tba/action.php: split the string value in an array, and then check if the remote IP is in the array. The line should read : if(in_array($ip, preg_split( '/[\s,]+/', $this->getConf('tba_whitelist'), 0, PREG_SPLIT_NO_EMPTY )))
3. create settings description so users know they have to enter a comma or blank separated list of IP address in the whilte-list paramatre
4. create French description settings

Here is the patch I successfully used https://gist.github.com/schplurtz/55d6d712514a70562990 to solve this.

regards,
Schplurtz.

Hi,

Maybe I spoke too fast. Here is what I posted on the previous tread AFTER it was closed:

"almost... actually now I have the following problem.

I set the following timing:
IP blocked for 1h if password is wrong 3 times in the last 1h.
Once an IP is banned it cannot access the wiki (for the next 1h).

now if I remove the IP from the list of banned IP, it can still not access the wiki (for the next 1h) even though the credentials are OK...
weird

Best,
-a-