Fix anti-bruteforcing sleep to be outside of any locking

2022-01-31 23:18:40 +01:00 · 2022-01-31 23:18:40 +01:00 · a71e81eee2
commit a71e81eee2
parent 5b1521c5c8
1 changed files with 7 additions and 4 deletions
--- a/src/controller/controller_api.cpp
+++ b/src/controller/controller_api.cpp
@ -409,12 +409,15 @@ int Controller::handleAPIConnection(Socket::Connection &conn){
        }
        if (authorized){
          handleAPICommands(Request, Response);
-        }else{// unauthorized
-          Util::sleep(1000); // sleep a second to prevent bruteforcing
-          logins++;
+          Controller::checkServerLimits(); /*LTS*/
        }
-        Controller::checkServerLimits(); /*LTS*/
      }// config mutex lock
+      if (!authorized){
+        // sleep a second to prevent bruteforcing.
+        // We need to make sure this happens _after_ unlocking the mutex!
+        Util::sleep(1000);
+        logins++;
+      }
      // send the response, either normally or through JSONP callback.
      std::string jsonp = "";
      if (H.GetVar("callback") != ""){jsonp = H.GetVar("callback");}