Skip to content

Commit

Permalink
synchronize failed pin entry (#2940)
Browse files Browse the repository at this point in the history
  • Loading branch information
davidism authored Aug 21, 2024
2 parents 7abec4b + 6504819 commit a1db120
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 5 deletions.
2 changes: 2 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ Unreleased
413 error. :issue:`2930`
- Improve ``parse_options_header`` performance when parsing unterminated
quoted string values. :issue:`2907`
- Debugger pin auth is synchronized across threads/processes when tracking
failed entries. :issue:`2916`


Version 3.0.3
Expand Down
14 changes: 9 additions & 5 deletions src/werkzeug/debug/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
from contextlib import ExitStack
from io import BytesIO
from itertools import chain
from multiprocessing import Value
from os.path import basename
from os.path import join
from zlib import adler32
Expand Down Expand Up @@ -286,7 +287,7 @@ def __init__(
self.console_init_func = console_init_func
self.show_hidden_frames = show_hidden_frames
self.secret = gen_salt(20)
self._failed_pin_auth = 0
self._failed_pin_auth = Value("B")

self.pin_logging = pin_logging
if pin_security:
Expand Down Expand Up @@ -454,8 +455,11 @@ def check_host_trust(self, environ: WSGIEnvironment) -> bool:
return host_is_trusted(environ.get("HTTP_HOST"), self.trusted_hosts)

def _fail_pin_auth(self) -> None:
time.sleep(5.0 if self._failed_pin_auth > 5 else 0.5)
self._failed_pin_auth += 1
with self._failed_pin_auth.get_lock():
count = self._failed_pin_auth.value
self._failed_pin_auth.value = count + 1

time.sleep(5.0 if count > 5 else 0.5)

def pin_auth(self, request: Request) -> Response:
"""Authenticates with the pin."""
Expand All @@ -482,15 +486,15 @@ def pin_auth(self, request: Request) -> Response:
auth = True

# If we failed too many times, then we're locked out.
elif self._failed_pin_auth > 10:
elif self._failed_pin_auth.value > 10:
exhausted = True

# Otherwise go through pin based authentication
else:
entered_pin = request.args["pin"]

if entered_pin.strip().replace("-", "") == pin.replace("-", ""):
self._failed_pin_auth = 0
self._failed_pin_auth.value = 0
auth = True
else:
self._fail_pin_auth()
Expand Down

0 comments on commit a1db120

Please sign in to comment.