Bug#408518: do_lockout does not get overridden for session per IP lockouts

Fri, 26 Jan 2007 04:56:18 -0800 

Package: interchange
Version: 5.4.1

If you have a lockout specialsub that returns a true value on a session
per IP lockout the lockout will still occur and not be overridden by the
return value of the specialsub.  This is because there is a separate
lockout for session per IP triggers that is doen outside of the
do_lockout sub and it does not know about the lockout specialsub or its
return value.

The attached patch passes the return value for the lockout specialsub
back as the return value for do_lockout and then uses the do_lockout
return value to determine whether to perform the secondary lockout for
sessions per IP.

I've been running this patch on a production server for a few months now
and have seen no adverse results.


Index: lib/Vend/Dispatch.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Dispatch.pm,v
retrieving revision 1.74
diff -u -p -r1.74 Dispatch.pm
--- lib/Vend/Dispatch.pm        22 Sep 2006 07:10:03 -0000      1.74
+++ lib/Vend/Dispatch.pm        26 Jan 2007 04:09:21 -0000
@@ -1371,7 +1371,7 @@ RESOLVEID: {
     }
        else {
                if($Vend::Cfg->{RobotLimit}) {
-                       if (Vend::Session::count_ip() > 
$Vend::Cfg->{RobotLimit}) {
+                       if (Vend::Session::count_ip() > 
$Vend::Cfg->{RobotLimit} && !do_lockout()) {
                                my $msg;
                                # Here they can get it back if they pass 
expiration time
                                my $wait = $::Limit->{robot_expire} || 1;
@@ -1381,7 +1381,6 @@ Too many new ID assignments for this IP 
 before trying again. Only waiting that period will allow access. Terminating.
 EOF
                                $msg = get_locale_message(403, $msg);
-                               do_lockout();
 
                                ::logError('Too many IDs, %d hour wait 
enforced.', $wait);
 
Index: lib/Vend/Error.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Error.pm,v
retrieving revision 2.12
diff -u -p -r2.12 Error.pm
--- lib/Vend/Error.pm   8 Aug 2006 07:20:42 -0000       2.12
+++ lib/Vend/Error.pm   26 Jan 2007 04:09:21 -0000
@@ -172,7 +172,7 @@ sub do_lockout {
                        ::logError("Error running lockout subroutine %s: %s", 
$subname, $@);
                }
 
-               return if $status;
+               return $status if $status;
        }
 
        # Now we log the error after custom lockout routine gets chance
@@ -197,6 +197,7 @@ sub do_lockout {
        $Vend::Cfg->{VendURL} = $Vend::Cfg->{SecureURL} = 'http://127.0.0.1';
        $Vend::LockedOut = 1;
        logError($msg) if $msg;
+       return;
 }
 
 1;

Reply via email to