Merged

6 files changed, 46 insertions, 17 deletions

diff --git a/blob/database_schema b/blob/database_schema
index c994910..d2bf0cf 100755
--- a/blob/database_schema
+++ b/blob/database_schema
@@ -6,6 +6,6 @@ CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner
 
 CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id));
 
-CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER);
+CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts, ip TEXT, session_id TEXT, time INTEGER, user INTEGER);
 
 CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END;
diff --git a/blob/nginx_rewrite_rules b/blob/nginx_rewrite_rules
index 2c9b7f3..e276bcf 100755
--- a/blob/nginx_rewrite_rules
+++ b/blob/nginx_rewrite_rules
@@ -12,6 +12,7 @@ location 	/favicon.ico {}
 location 	/static {}
 
 try_files $uri @main;
+rewrite ^/banned$							/httperror.php?e=ban;
 
 location ~* ^/login/?([a-z0-9]+=[a-z0-9]+(&[a-z0-9]+=[a-z0-9]+)?)?$ {
 	rewrite ^/?login([?/]?.*) 					/index.php?task=login&arguments=$1	last;
diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index a4d4696..943e20e 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -54,19 +54,29 @@ function logout(){
 function brutforce_protection($db){
 	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;
 
+	$remote_ip = $_SERVER["REMOTE_ADDR"];
+	$session_id = session_id();
+	$time = $_SERVER["REQUEST_TIME"];
+
 	if($_SESSION["login_attempts"] <= 0){
-		$remote_ip = $_SERVER["REMOTE_ADDR"];
-		$session_id = session_id();
-		$time = $_SERVER["REQUEST_TIME"];
 
-		if($db->exec("
+		$db->exec("
 			BEGIN TRANSACTION;
 			INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.");
 			COMMIT;
-		")){
-			echo "You are banned. ;_;";
-		}
-		exit;
+		");
+		banned();
+
+	} else {
+		 if($db->exec("
+		 	BEGIN TRANSACTION;
+			INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)    ."', '".$time."');
+			COMMIT;
+		 ")){
+		 	return true;
+		 } else {
+		 	return false;
+		 }
 	}
 }
 
@@ -74,14 +84,27 @@ function check_if_banned($db){
 
 	$remote_ip = $_SERVER["REMOTE_ADDR"];
 	$session_id = session_id();
-	$check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';");
+	$check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;");
 	$check_ar = $check_db->fetchArray(SQLITE3_NUM);
 
+	$log_at = $check_ar[1];
+	if($log_at){
+		$_SESSION["login_attempts"] = $log_at;
+	}
+
 	$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; 	// == 6h
+	$db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");
 
-	if($check_ar[0] < $accepted_time){
-		return false; 					// not longer banned
-	} else {
-		return true;					// still banned
+	if($log_at <= 0){
+		if ($check_ar[0] >= $accepted_time){
+			return true;					// still banned
+		}
 	}
+
+	return false; 					// not longer banned
+}
+
+function banned(){
+	header("Refresh: 0; ".$GLOBALS["scheme"].$_SERVER["HTTP_HOST"]."/banned");
+	exit;
 }
diff --git a/www/httperror.php b/www/httperror.php
index 8b1a62a..423f0fa 100755
--- a/www/httperror.php
+++ b/www/httperror.php
@@ -6,6 +6,8 @@
 	500
 	502
 	504
+
+	ban -- user is banned and not allowed to log in
 	
 	404 is displayed if $_GET["e"] is not set. 
 	
@@ -49,6 +51,10 @@
 	}elseif($_GET['e']==504){
 		echo '<h1 id="Error-Page-head" >'.$_GET['e'].'</h1>';
 		echo '<h2 id="Error-Page-description" >A server i&#39;m trying to contact is insanely slow. </br>I can&#39;t wait forever. I&#39;m sorry!</h2>';
+
+	 }elseif($_GET['e']=='ban'){
+		echo '<h1 id="Error-Page-head" >You are banned!</h1>';
+		echo '<h2 id="Error-Page-description" >Too many authentication failures.</br>It&#39s not my fault. I swear.</h2>';
 	}?>
 </div>
 <?php include("static/footer.html");?>
diff --git a/www/index.php b/www/index.php
index 73c9b5d..3110776 100755
--- a/www/index.php
+++ b/www/index.php
@@ -12,8 +12,7 @@ if(!isset($_SESSION["login_attempts"])){
 }
 
 if(check_if_banned($db)){
-	echo "You are banned. ;_;";
-	exit;
+	banned();
 } 
 
 if(empty($_GET)){
diff --git a/www/setup.php b/www/setup.php
index 99c9034..8d56f6e 100755
--- a/www/setup.php
+++ b/www/setup.php
@@ -57,7 +57,7 @@ if($bool){
 		CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, download_link TEXT, FOREIGN KEY(owner) REFERENCES user(id));
 		INSERT INTO files (id, parent, owner, name, folder, size, share, hash, download_link) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', '', '');
 		CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id));
-		CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER);
+		CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts INTEGER, ip TEXT, session_id TEXT, time INTEGER, user INTEGER);
 		CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END;
 		COMMIT;")
 	) {