Merge remote-tracking branch 'openmage/main' into next

colinmollenhour · colinmollenhour · commit 94b44acf925a · 2023-08-29T11:38:49.000-04:00
diff --git a/app/code/core/Mage/Core/Helper/Data.php b/app/code/core/Mage/Core/Helper/Data.php
@@ -1008,4 +1008,39 @@ public function isFormKeyEnabled(): bool
     {
         return Mage::getStoreConfigFlag(Mage_Core_Controller_Front_Action::XML_CSRF_USE_FLAG_CONFIG_PATH);
     }
+
+    /**
+     * @param bool $setErrorMessage Adds a predefined error message to the 'core/session' object
+     * @return bool
+     */
+    public function isRateLimitExceeded($setErrorMessage = true, $recordRateLimitHit = true): bool
+    {
+        $active = Mage::getStoreConfigFlag('system/rate_limit/active');
+        if ($active && $remoteAddr = Mage::helper('core/http')->getRemoteAddr()) {
+            $cacheTag = 'rate_limit_' . $remoteAddr;
+            if (Mage::app()->testCache($cacheTag)) {
+                $errorMessage = "Too Soon: You are trying to perform this operation too frequently. Please wait a few seconds and try again.";
+                Mage::getSingleton('core/session')->addError($this->__($errorMessage));
+                return true;
+            }
+
+            if ($recordRateLimitHit) {
+                $this->recordRateLimitHit();
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @return void
+     */
+    public function recordRateLimitHit(): void
+    {
+        $active = Mage::getStoreConfigFlag('system/rate_limit/active');
+        if ($active && $remoteAddr = Mage::helper('core/http')->getRemoteAddr()) {
+            $cacheTag = 'rate_limit_' . $remoteAddr;
+            Mage::app()->saveCache(1, $cacheTag, ['brute_force'], Mage::getStoreConfig('system/rate_limit/timeframe'));
+        }
+    }
 }
diff --git a/app/code/core/Mage/Core/etc/config.xml b/app/code/core/Mage/Core/etc/config.xml
@@ -315,6 +315,10 @@
             <csrf>
                 <use_form_key>1</use_form_key>
             </csrf>
+            <rate_limit>
+                <active>1</active>
+                <timeframe>30</timeframe>
+            </rate_limit>
             <cache>
                 <flush_cron_expr>30 2 * * *</flush_cron_expr>
             </cache>
diff --git a/app/code/core/Mage/Core/etc/system.xml b/app/code/core/Mage/Core/etc/system.xml
@@ -50,6 +50,33 @@
                         </use_form_key>
                     </fields>
                 </csrf>
+                <rate_limit translate="label comment" module="core">
+                    <label>Rate limit</label>
+                    <sort_order>10</sort_order>
+                    <show_in_default>1</show_in_default>
+                    <show_in_website>1</show_in_website>
+                    <show_in_store>1</show_in_store>
+                    <comment>This functionality limits the number of requests a user (identified by IP address) can perform within a specific time frame, preventing excessive resources usage and maintaining system performance, stability and security.</comment>
+                    <fields>
+                        <active translate="label">
+                            <label>Enabled</label>
+                            <frontend_type>select</frontend_type>
+                            <source_model>adminhtml/system_config_source_yesno</source_model>
+                            <sort_order>10</sort_order>
+                            <show_in_default>1</show_in_default>
+                            <show_in_website>1</show_in_website>
+                            <show_in_store>1</show_in_store>
+                        </active>
+                        <timeframe translate="label comment">
+                            <label>Timeframe</label>
+                            <sort_order>20</sort_order>
+                            <show_in_default>1</show_in_default>
+                            <show_in_website>1</show_in_website>
+                            <show_in_store>1</show_in_store>
+                            <comment>Number of seconds between each allowed request.</comment>
+                        </timeframe>
+                    </fields>
+                </rate_limit>
                 <cache translate="label" module="core">
                     <label>Advanced Cache Settings</label>
                     <sort_order>1000</sort_order>
@@ -69,13 +96,6 @@
                 </cache>
             </groups>
         </system>
-        <!--<web_track translate="label" module="core">
-            <label>Web Tracking</label>
-            <sort_order>180</sort_order>
-            <show_in_default>1</show_in_default>
-            <show_in_website>1</show_in_website>
-            <show_in_store>1</show_in_store>
-        </web_track>-->
         <advanced translate="label" module="core">
             <label>Advanced</label>
             <tab>advanced</tab>
@@ -84,35 +104,6 @@
             <show_in_website>1</show_in_website>
             <show_in_store>1</show_in_store>
             <groups>
-                <!--datashare translate="label">
-                    <label>Datasharing</label>
-                    <sort_order>1</sort_order>
-                    <show_in_default>1</show_in_default>
-                    <show_in_website>1</show_in_website>
-                    <show_in_store>0</show_in_store>
-                    <fields>
-                        <default translate="label">
-                            <label>Default</label>
-                            <frontend_type>multiselect</frontend_type>
-                            <backend_model>adminhtml/system_config_backend_datashare</backend_model>
-                            <source_model>adminhtml/system_config_source_store</source_model>
-                            <sort_order>1</sort_order>
-                            <show_in_default>1</show_in_default>
-                            <show_in_website>1</show_in_website>
-                            <show_in_store>1</show_in_store>
-                        </default>
-                        <default translate="label">
-                            <label>Default</label>
-                            <frontend_type>multiselect</frontend_type>
-                            <backend_model>adminhtml/system_config_backend_datashare</backend_model>
-                            <source_model>adminhtml/system_config_source_store</source_model>
-                            <sort_order>1</sort_order>
-                            <show_in_default>1</show_in_default>
-                            <show_in_website>1</show_in_website>
-                            <show_in_store>1</show_in_store>
-                        </default>
-                    </fields>
-                </datashare-->
                 <modules_disable_output translate="label">
                     <label>Disable Modules Output</label>
                     <frontend_model>adminhtml/system_config_form_fieldset_modules_disableOutput</frontend_model>
diff --git a/app/code/core/Mage/Sales/Helper/Guest.php b/app/code/core/Mage/Sales/Helper/Guest.php
@@ -105,6 +105,7 @@ public function loadValidOrder()
                     $errors = true;
                 }
             } else {
+                Mage::helper('core')->recordRateLimitHit();
                 $errors = true;
             }
         }
@@ -114,7 +115,10 @@ public function loadValidOrder()
             return true;
         }
 
-        Mage::getSingleton('core/session')->addError($this->__($errorMessage));
+        if (!Mage::helper('core')->isRateLimitExceeded(true, false)) {
+            Mage::getSingleton('core/session')->addError($this->__($errorMessage));
+        }
+
         Mage::app()->getResponse()->setRedirect(Mage::getUrl('sales/guest/form'));
         return false;
     }
diff --git a/app/code/core/Mage/Sales/Model/Order.php b/app/code/core/Mage/Sales/Model/Order.php
@@ -2372,7 +2372,7 @@ protected function _beforeSave()
         }
 
         if (!$this->getId()) {
-            $this->setData('protect_code', substr(md5(uniqid(mt_rand(), true) . ':' . microtime(true)), 5, 6));
+            $this->setData('protect_code', Mage::helper('core')->getRandomString(16));
         }
 
         if ($this->getStatus() !== $this->getOrigData('status')) {
diff --git a/app/locale/en_US/Mage_Core.csv b/app/locale/en_US/Mage_Core.csv
@@ -384,6 +384,7 @@
 "Timezone","Timezone"
 "Title Prefix","Title Prefix"
 "Title Suffix","Title Suffix"
+"Too Soon: You are trying to perform this operation too frequently. Please wait a few seconds and try again.","Too Soon: You are trying to perform this operation too frequently. Please wait a few seconds and try again."
 "Transactional Emails","Transactional Emails"
 "Translate Inline","Translate Inline"
 "Translate, blocks and other output caches should be disabled for both frontend and admin inline translations.","Translate, blocks and other output caches should be disabled for both frontend and admin inline translations."

Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,7 @@ public function loadValidOrder()`
`105`	`105`	`$errors = true;`
`106`	`106`	`}`
`107`	`107`	`} else {`
	`108`	`+ Mage::helper('core')->recordRateLimitHit();`
`108`	`109`	`$errors = true;`
`109`	`110`	`}`
`110`	`111`	`}`
`@@ -114,7 +115,10 @@ public function loadValidOrder()`
`114`	`115`	`return true;`
`115`	`116`	`}`
`116`	`117`
`117`		`- Mage::getSingleton('core/session')->addError($this->__($errorMessage));`
	`118`	`+ if (!Mage::helper('core')->isRateLimitExceeded(true, false)) {`
	`119`	`+ Mage::getSingleton('core/session')->addError($this->__($errorMessage));`
	`120`	`+ }`
	`121`	`+`
`118`	`122`	`Mage::app()->getResponse()->setRedirect(Mage::getUrl('sales/guest/form'));`
`119`	`123`	`return false;`
`120`	`124`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2372,7 +2372,7 @@ protected function _beforeSave()`
`2372`	`2372`	`}`
`2373`	`2373`
`2374`	`2374`	`if (!$this->getId()) {`
`2375`		`- $this->setData('protect_code', substr(md5(uniqid(mt_rand(), true) . ':' . microtime(true)), 5, 6));`
	`2375`	`+ $this->setData('protect_code', Mage::helper('core')->getRandomString(16));`
`2376`	`2376`	`}`
`2377`	`2377`
`2378`	`2378`	`if ($this->getStatus() !== $this->getOrigData('status')) {`