描述此 Pull Request 的变更

修复 部分站点无法正确统计登录失败次数的问题

描述变更理由

在 Discuz! X3.2 Release 20141225 版本以及同期发布的 UCenter 软件中( 版本代码内容后附 ),开发了一个部分生效的 “允许用户登录失败次数” 功能,但此功能未完整开发之后仅仅注释了界面上的功能项,后续版本也没有继续开发。

注释功能项后会导致部分站点的 login_failedtime 在 UCenter 后台基本设置处保存时被设置成 0 ,而由于不同功能项对 0 的处理方式有差异导致系统内对此情况的处理手段是不记录登录失败次数而在提示信息中固定返回 4 次,导致 Bug 发生。

此版本通过对 Discuz! X 以及 UCenter 、 UC_Client 进行修改,完成该功能点的开发,同时新增重映射规避措施以解决相关问题。

版本代码内容参见: https://gitee.com/popcorner/dzhistory/commit/472d462b8ad3f6b25d5e2ffba32f7b0f356d0d56

对不向前兼容或涉及安全性变更的特殊说明

本故障涉及 X3.2 Release 20141225 以及更高版本,相关站点存在被密码爆破的风险,需要尽快升级解决问题。

虽然代码中进行了重映射的规避措施,但仍建议站点到 UCenter 后台修改本设置为合理值,随后查看通知列表所涉及站点的 uc_client/data/cache/settings.php 缓存文件中的 login_failedtime 项是否为大于 0 的值以及其他选项是否正确,以免出现其他功能异常。

如站点无法进行版本升级,也请在覆盖 !1092:修复 部分站点无法正确统计登录失败次数的问题 所涉及函数后参考 !675:修复 dfopen的socket相关问题(UCenter及安装程序部分) 以及 !628:【轻量级 PR】:修复 UCenter 通讯成功但在部分情况下通知失败导致的问题 代码更新站点 UCenter 通信相关部分函数代码,避免新配置无法下发。另外也可以参考 https://gitee.com/Discuz/DiscuzX/pulls?label_ids=54935126&status=merged 对其他安全问题进行加固。

本 PR 已履行了负责任的漏洞披露程序,在公开前联系 @湖中沉 @DiscuzX 并进行了预测试,感谢上述人员为本修复方案提供的建议以及详尽的测试工作。

关联 Issue

#I3W82V:无论是输入什么账号和密码,一直提示登录失败,还可以尝试4次

Describe the changes to this Pull Request

Fix the problem that some sites cannot count the number of failed logins correctly

Describe the reason for the change

In the Discuz! X3.2 Release 20141225 version and the UCenter software released at the same time (the version code content is attached), a partially effective "Allow User Login Failure Times" function was developed, but after this function is not fully developed, only the interface is annotated The function items on the previous version have not continued to be developed in subsequent versions.

Annotated function items will cause the login_failedtime of some sites to be set to 0 when saved in the basic settings of the UCenter background. However, due to the difference in the way that different function items handle 0, the system's processing method for this situation is not to log login The number of failures is fixed to return 4 times in the prompt message, resulting in bugs.

This version completes the development of this feature point by modifying Discuz! X, UCenter and UC_Client, and adds remapping circumvention measures to solve related problems.

For version code content, please refer to: https://gitee.com/popcorner/dzhistory/commit/472d462b8ad3f6b25d5e2ffba32f7b0f356d0d56

Special instructions for incompatibility or security changes involved

This failure involves X3.2 Release 20141225 and later versions. There is a risk of password blasting for related sites, and the problem needs to be upgraded as soon as possible.

Although the remapping circumvention measures have been implemented in the code, it is still recommended that the site go to the UCenter backend to modify this setting to a reasonable value, and then check the cache file in the uc_client/data/cache/settings.php of the site involved in the notification list Whether the login_failedtime item is a value greater than 0 and whether other options are correct, so as to avoid other functional abnormalities.

If the site cannot be upgraded, please refer to !675:修复 dfopen的socket相关问题(UCenter及安装程序部分) and https after covering the functions involved in !1092:修复 部分站点无法正确统计登录失败次数的问题 !628:【轻量级 PR】:修复 UCenter 通讯成功但在部分情况下通知失败导致的问题 Code update site UCenter communication related part of the function code, to avoid the new configuration can not be delivered. You can also refer to https://gitee.com/Discuz/DiscuzX/pulls?label_ids=54935126&status=merged to reinforce other security issues.

This PR has performed the responsible vulnerability disclosure procedure, contacted @湖中沉 @DiscuzX and pre-tested before the disclosure, thanks to the above-mentioned personnel for their suggestions and detailed testing work for this repair solution.

Associated Issue

#I3W82V:无论是输入什么账号和密码,一直提示登录失败,还可以尝试4次