Joomla! 4.3.2 Stable

Author: obuisard

administrator/components/com_admin/sql/updates/mysql/4.3.2-2023-05-20.sql

@@ -0,0 +1,2 @@
+ALTER TABLE `#__user_mfa` ADD COLUMN `tries` int NOT NULL DEFAULT 0 /** CAN FAIL **/;
+ALTER TABLE `#__user_mfa` ADD COLUMN `last_try` datetime /** CAN FAIL **/;

administrator/components/com_admin/sql/updates/postgresql/4.3.2-2023-05-20.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "#__user_mfa" ADD COLUMN "tries" bigint DEFAULT 0 NOT NULL /** CAN FAIL **/;
+ALTER TABLE "#__user_mfa" ADD COLUMN "last_try" timestamp without time zone /** CAN FAIL **/;

administrator/components/com_users/config.xml

@@ -329,6 +329,30 @@
 			default=""
 			showon="mfaredirectonlogin:1"
 		/>
+
+		<field
+			name="mfatrycount"
+			type="number"
+			label="COM_USERS_CONFIG_MFATRYCOUNT_LABEL"
+			filter="integer"
+			min="0"
+			max="20"
+			step="1"
+			default="10"
+			validate="number"
+		/>
+
+		<field
+			name="mfatrytime"
+			type="number"
+			label="COM_USERS_CONFIG_MFATRYTIME_LABEL"
+			filter="integer"
+			min="1"
+			max="24"
+			step="1"
+			default="1"
+			validate="number"
+		/>
 	</fieldset>
 
 	<fieldset

administrator/components/com_users/src/Controller/CaptiveController.php

@@ -152,6 +152,18 @@ public function validate($cachable = false, $urlparameters = [])
             throw new RuntimeException(Text::_('COM_USERS_MFA_INVALID_METHOD'), 500);
         }
 
+        if (!$model->checkTryLimit($record)) {
+            // The try limit is reached, show error and return
+            $captiveURL = Route::_('index.php?option=com_users&view=captive&task=select', false);
+            $message    = Text::_('COM_USERS_MFA_TRY_LIMIT_REACHED');
+            $this->setRedirect($captiveURL, $message, 'error');
+
+            $event = new NotifyActionLog('onComUsersCaptiveValidateTryLimitReached');
+            $this->app->getDispatcher()->dispatch($event->getName(), $event);
+
+            return;
+        }
+
         // Validate the code
         $user = $this->app->getIdentity()
             ?: Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById(0);
@@ -210,6 +222,8 @@ function (bool $carry, $result) {
         $jNow = Date::getInstance();
 
         $record->last_used = $jNow->toSql();
+        $record->tries     = 0;
+        $record->last_try  = null;
         $record->store();
 
         // Flag the user as fully logged in

administrator/components/com_users/src/Controller/MethodController.php

@@ -19,6 +19,7 @@
 use Joomla\CMS\MVC\Controller\BaseController as BaseControllerAlias;
 use Joomla\CMS\MVC\Factory\MVCFactoryInterface;
 use Joomla\CMS\Router\Route;
+use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\User;
 use Joomla\CMS\User\UserFactoryInterface;
 use Joomla\Component\Users\Administrator\Helper\Mfa as MfaHelper;
@@ -203,7 +204,7 @@ public function regenerateBackupCodes($cachable = false, $urlparams = []): void
         $redirectUrl = 'index.php?option=com_users&task=method.edit&user_id=' . $userId . '&id=' . $backupCodesRecord->id;
         $returnURL   = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $redirectUrl .= '&returnurl=' . $returnURL;
         }
 
@@ -258,7 +259,7 @@ public function delete($cachable = false, $urlparams = []): void
         $url       = Route::_('index.php?option=com_users&task=methods.display&user_id=' . $userId, false);
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }
 
@@ -289,7 +290,7 @@ public function save($cachable = false, $urlparams = []): void
         $url       = Route::_('index.php?option=com_users&task=methods.display&user_id=' . $userId, false);
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }
 

administrator/components/com_users/src/Controller/MethodsController.php

@@ -101,7 +101,7 @@ public function disable($cachable = false, $urlparams = []): void
         $url       = Route::_('index.php?option=com_users&task=methods.display&user_id=' . $userId, false);
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }
 
@@ -188,7 +188,7 @@ public function doNotShowThisAgain($cachable = false, $urlparams = []): void
         $url       = Uri::base();
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }
 

administrator/components/com_users/src/Model/CaptiveModel.php

@@ -13,6 +13,7 @@
 use Exception;
 use Joomla\CMS\Application\CMSApplication;
 use Joomla\CMS\Component\ComponentHelper;
+use Joomla\CMS\Date\Date;
 use Joomla\CMS\Event\MultiFactor\Captive;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
@@ -409,4 +410,43 @@ private function getAllowedModulePositions(): array
 
         return $res;
     }
+
+    /**
+     * Method to check if the mfa method in question has reached it's usage limit
+     *
+     * @param   MfaTable  $method  Mfa method record
+     *
+     * @return  boolean true if user can use the method, false if not
+     *
+     * @since    4.3.2
+     * @throws  \Exception
+     */
+    public function checkTryLimit(MfaTable $method)
+    {
+        $params     = ComponentHelper::getParams('com_users');
+        $jNow       = Date::getInstance();
+        $maxTries   = (int) $params->get('mfatrycount', 10);
+        $blockHours = (int) $params->get('mfatrytime', 1);
+
+        $lastTryTime       = strtotime($method->last_try) ?: 0;
+        $hoursSinceLastTry = (strtotime(Factory::getDate()->toSql()) - $lastTryTime) / 3600;
+
+        if ($method->last_try !== null && $hoursSinceLastTry > $blockHours) {
+            // If it's been long enough, start a new reset count
+            $method->last_try = null;
+            $method->tries    = 0;
+        } elseif ($method->tries < $maxTries) {
+            // If we are under the max count, just increment the counter
+            ++$method->tries;
+            $method->last_try = $jNow->toSql();
+        } else {
+            // At this point, we know we have exceeded the maximum resets for the time period
+            return false;
+        }
+
+        // Store changes to try counter and/or the timestamp
+        $method->store();
+
+        return true;
+    }
 }

administrator/components/com_users/src/Table/MfaTable.php

@@ -43,6 +43,8 @@
  * @property array  $options     Configuration options for the MFA Method.
  * @property string $created_on  Date and time the record was created.
  * @property string $last_used   Date and time the record was last used successfully.
+ * @property int    $tries       Counter for unsuccessful tries
+ * @property string $last_try    Date and time of the last unsuccessful try
  *
  * @since 4.2.0
  */

administrator/components/com_users/src/View/Method/HtmlView.php

@@ -17,6 +17,7 @@
 use Joomla\CMS\Toolbar\Button\LinkButton;
 use Joomla\CMS\Toolbar\Toolbar;
 use Joomla\CMS\Toolbar\ToolbarHelper;
+use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\User;
 use Joomla\Component\Users\Administrator\Model\MethodModel;
 
@@ -168,7 +169,9 @@ function ($x) {
         }
 
         $returnUrl = empty($this->returnURL) ? '' : base64_decode($this->returnURL);
-        $returnUrl = $returnUrl ?: Route::_('index.php?option=com_users&task=methods.display&user_id=' . $this->user->id);
+        $returnUrl = ($returnUrl && Uri::isInternal($returnUrl))
+            ? $returnUrl
+            : Route::_('index.php?option=com_users&task=methods.display&user_id=' . $this->user->id);
 
         if ($this->isAdmin && $this->getLayout() === 'edit') {
             $button = (new BasicButton('user-mfa-edit-save'))

administrator/language/en-GB/com_users.ini

@@ -81,6 +81,8 @@ COM_USERS_CONFIG_SAVE_FAILED="An error was encountered while saving the configur
 COM_USERS_CONFIG_SILENTRESPONSES_DESC="For experts. A comma–separated list of Joomla authentication response types which are considered silent logins. The default is <code>cookie</code> (the Remember Me feature) and <code>passwordless</code> (WebAuthn)."
 COM_USERS_CONFIG_SILENTRESPONSES_LABEL="Silent login authentication response types (for experts)"
 COM_USERS_CONFIG_USER_OPTIONS="User Options"
+COM_USERS_CONFIG_MFATRYCOUNT_LABEL="Maximum MFA tries"
+COM_USERS_CONFIG_MFATRYTIME_LABEL="MFA limit block time (in hours)"
 COM_USERS_COUNT_DISABLED_USERS="Blocked Users"
 COM_USERS_COUNT_ENABLED_USERS="Enabled Users"
 COM_USERS_DASHBOARD_TITLE="Users Dashboard"
@@ -271,6 +273,7 @@ COM_USERS_MFA_FIRSTTIME_NOTINTERESTED="Don't show this again"
 COM_USERS_MFA_FIRSTTIME_PAGE_HEAD="Set up your Multi-factor Authentication"
 COM_USERS_MFA_INVALID_CODE="Multi-factor Authentication failed. Please try again."
 COM_USERS_MFA_INVALID_METHOD="Invalid Multi-factor Authentication method."
+COM_USERS_MFA_TRY_LIMIT_REACHED="You have reached the try limit for the currently selected Authentication method. Please choose a different method or wait."
 COM_USERS_MFA_LBL_CREATEDON="Added: %s"
 COM_USERS_MFA_LBL_DATE_FORMAT_PAST="F d, Y"
 COM_USERS_MFA_LBL_DATE_FORMAT_TODAY="H:i"