Merge branch '4.4.0-alpha' into 4.4-dev

Author: laoneo

administrator/components/com_admin/sql/updates/mysql/4.3.2-2023-05-20.sql

@@ -0,0 +1,2 @@
+ALTER TABLE `#__user_mfa` ADD COLUMN `tries` int NOT NULL DEFAULT 0 /** CAN FAIL **/;
+ALTER TABLE `#__user_mfa` ADD COLUMN `last_try` datetime /** CAN FAIL **/;

administrator/components/com_admin/sql/updates/postgresql/4.3.2-2023-05-20.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "#__user_mfa" ADD COLUMN "tries" bigint DEFAULT 0 NOT NULL /** CAN FAIL **/;
+ALTER TABLE "#__user_mfa" ADD COLUMN "last_try" timestamp without time zone /** CAN FAIL **/;

administrator/components/com_categories/src/View/Categories/HtmlView.php

@@ -88,7 +88,7 @@ class HtmlView extends BaseHtmlView
      * The ordering list for the categories
      *
      * @var    array
-     * @since  __DEPLOY_VERSION__
+     * @since  4.4.0
      */
     protected $ordering = [];
 

administrator/components/com_content/src/View/Articles/HtmlView.php

@@ -88,15 +88,15 @@ class HtmlView extends BaseHtmlView
      * Is the vote plugin enabled on the site
      *
      * @var   boolean
-     * @since __DEPLOY_VERSION__
+     * @since 4.4.0
      */
     protected $vote = false;
 
     /**
      * Are hits being recorded on the site?
      *
      * @var   boolean
-     * @since __DEPLOY_VERSION__
+     * @since 4.4.0
      */
     protected $hits = false;
 

administrator/components/com_privacy/src/Plugin/PrivacyPlugin.php

@@ -36,7 +36,7 @@ abstract class PrivacyPlugin extends CMSPlugin
      *
      * @var    \Joomla\Database\DatabaseDriver
      * @since  3.9.0
-     * @deprecated  __DEPLOY_VERSION__ will be removed in 6.0 use $this->getDatabase() instead
+     * @deprecated  4.4.0 will be removed in 6.0 use $this->getDatabase() instead
      */
     protected $db;
 

administrator/components/com_tags/src/View/Tags/HtmlView.php

@@ -84,7 +84,7 @@ class HtmlView extends BaseHtmlView
      * The ordering list for the tags
      *
      * @var    array
-     * @since  __DEPLOY_VERSION__
+     * @since  4.4.0
      */
     protected $ordering = [];
 

administrator/components/com_users/config.xml

@@ -329,6 +329,30 @@
 			default=""
 			showon="mfaredirectonlogin:1"
 		/>
+
+		<field
+			name="mfatrycount"
+			type="number"
+			label="COM_USERS_CONFIG_MFATRYCOUNT_LABEL"
+			filter="integer"
+			min="0"
+			max="20"
+			step="1"
+			default="10"
+			validate="number"
+		/>
+
+		<field
+			name="mfatrytime"
+			type="number"
+			label="COM_USERS_CONFIG_MFATRYTIME_LABEL"
+			filter="integer"
+			min="1"
+			max="24"
+			step="1"
+			default="1"
+			validate="number"
+		/>
 	</fieldset>
 
 	<fieldset

administrator/components/com_users/src/Controller/CaptiveController.php

@@ -153,6 +153,18 @@ public function validate($cachable = false, $urlparameters = [])
             throw new RuntimeException(Text::_('COM_USERS_MFA_INVALID_METHOD'), 500);
         }
 
+        if (!$model->checkTryLimit($record)) {
+            // The try limit is reached, show error and return
+            $captiveURL = Route::_('index.php?option=com_users&view=captive&task=select', false);
+            $message    = Text::_('COM_USERS_MFA_TRY_LIMIT_REACHED');
+            $this->setRedirect($captiveURL, $message, 'error');
+
+            $event = new NotifyActionLog('onComUsersCaptiveValidateTryLimitReached');
+            $this->app->getDispatcher()->dispatch($event->getName(), $event);
+
+            return;
+        }
+
         // Validate the code
         $user = $this->app->getIdentity() ?: $this->getUserFactory()->loadUserById(0);
 
@@ -210,6 +222,8 @@ function (bool $carry, $result) {
         $jNow = Date::getInstance();
 
         $record->last_used = $jNow->toSql();
+        $record->tries     = 0;
+        $record->last_try  = null;
         $record->store();
 
         // Flag the user as fully logged in

administrator/components/com_users/src/Controller/MethodController.php

@@ -18,6 +18,7 @@
 use Joomla\CMS\MVC\Controller\BaseController as BaseControllerAlias;
 use Joomla\CMS\MVC\Factory\MVCFactoryInterface;
 use Joomla\CMS\Router\Route;
+use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\User;
 use Joomla\CMS\User\UserFactoryAwareInterface;
 use Joomla\CMS\User\UserFactoryAwareTrait;
@@ -205,7 +206,7 @@ public function regenerateBackupCodes($cachable = false, $urlparams = []): void
         $redirectUrl = 'index.php?option=com_users&task=method.edit&user_id=' . $userId . '&id=' . $backupCodesRecord->id;
         $returnURL   = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $redirectUrl .= '&returnurl=' . $returnURL;
         }
 
@@ -260,7 +261,7 @@ public function delete($cachable = false, $urlparams = []): void
         $url       = Route::_('index.php?option=com_users&task=methods.display&user_id=' . $userId, false);
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }
 
@@ -291,7 +292,7 @@ public function save($cachable = false, $urlparams = []): void
         $url       = Route::_('index.php?option=com_users&task=methods.display&user_id=' . $userId, false);
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }
 

administrator/components/com_users/src/Controller/MethodsController.php

@@ -103,7 +103,7 @@ public function disable($cachable = false, $urlparams = []): void
         $url       = Route::_('index.php?option=com_users&task=methods.display&user_id=' . $userId, false);
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }
 
@@ -190,7 +190,7 @@ public function doNotShowThisAgain($cachable = false, $urlparams = []): void
         $url       = Uri::base();
         $returnURL = $this->input->getBase64('returnurl');
 
-        if (!empty($returnURL)) {
+        if (!empty($returnURL) && Uri::isInternal(base64_decode($returnURL))) {
             $url = base64_decode($returnURL);
         }