From 9c4c5e2d1a67f24dcc4c322c1b50e3e89b5fcdd9 Mon Sep 17 00:00:00 2001
From: Christophe Dumez <chris@qbittorrent.org>
Date: Thu, 14 Jan 2010 20:40:06 +0000
Subject: [PATCH] - Protect Web UI authentication against brute forcing (IP are
 banned after 3 failed attempts)

---
 src/httpconnection.cpp | 19 +++++++++++++++----
 src/httpserver.h       |  2 ++
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/httpconnection.cpp b/src/httpconnection.cpp
index e61a32ca4..07e76031b 100644
--- a/src/httpconnection.cpp
+++ b/src/httpconnection.cpp
@@ -128,17 +128,28 @@ QString HttpConnection::translateDocument(QString data) {
   return data;
 }
 
-void HttpConnection::respond()
-{
+void HttpConnection::respond() {
   //qDebug("Respond called");
+  int nb_fail = parent->client_failed_attempts.value(socket->peerAddress().toString(), 0);
+  if(nb_fail > 2) {
+    generator.setStatusLine(403, "Forbidden");
+    generator.setMessage(tr("Your IP address has been banned after too many failed authentication attempts."));
+    write();
+    return;
+  }
   QStringList auth = parser.value("Authorization").split(" ", QString::SkipEmptyParts);
-  if (auth.size() != 2 || QString::compare(auth[0], "Basic", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth[1].toLocal8Bit()))
-  {
+  if (auth.size() != 2 || QString::compare(auth[0], "Basic", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth[1].toLocal8Bit())) {
+    // Update failed attempt counter
+    parent->client_failed_attempts.insert(socket->peerAddress().toString(), nb_fail+1);
+    qDebug("client IP: %s (%d failed attempts)", socket->peerAddress().toString().toLocal8Bit().data(), nb_fail);
+    // Return unauthorized header
     generator.setStatusLine(401, "Unauthorized");
     generator.setValue("WWW-Authenticate",  "Basic realm=\"you know what\"");
     write();
     return;
   }
+  // Client sucessfuly authenticated, reset number of failed attempts
+  parent->client_failed_attempts.remove(socket->peerAddress().toString());
   QString url  = parser.url();
   // Favicon
   if(url.endsWith("favicon.ico")) {
diff --git a/src/httpserver.h b/src/httpserver.h
index 25ddc329c..f34069fca 100644
--- a/src/httpserver.h
+++ b/src/httpserver.h
@@ -35,6 +35,7 @@
 #include <QPair>
 #include <QTcpServer>
 #include <QByteArray>
+#include <QHash>
 
 class Bittorrent;
 class QTimer;
@@ -56,6 +57,7 @@ class HttpServer : public QTcpServer {
                 void setAuthorization(QString username, QString password_md5);
 		bool isAuthorized(QByteArray auth) const;
 		EventManager *eventManager() const;
+                QHash<QString, int> client_failed_attempts;
 
 	private slots:
 		void newHttpConnection();