add password fail time check

conf/app.php

@@ -3,8 +3,8 @@
  * Config
  */
 $configs = array(
-    'version' => '0.3.4',
-    'releaseDate' => '2024-10-05',
+    'version' => '0.3.5',
+    'releaseDate' => '2024-10-07',
     'showVersion' => false,     //默认不显示版本号和发布日期
 
     'default_timezone' => 'Asia/Hong_Kong',      //timezone, check more: https://www.php.net/manual/en/timezones.asia.php

plugins/Common.php

@@ -4,6 +4,8 @@
  */
 Class Common {
     public static function cleanSpecialChars($str) {
+        if (empty($str)) {return $str;}
+
         $findChars = array(
             '"',
             "'",

themes/beauty/controller/SiteController.php

@@ -126,7 +126,7 @@ Class SiteController extends Controller {
 
         //提示信息支持
         $alertWarning = $this->get('err', '');
-
+        $alertWarning = Common::cleanSpecialChars($alertWarning);
 
         //翻页支持
         $page = $this->get('page', 1);
@@ -882,6 +882,8 @@ Class SiteController extends Controller {
     //密码授权
     public function actionPwdauth() {
         $checkDir = $this->get('dir', '');
+        $checkDir = Common::cleanSpecialChars($checkDir);
+
         $goBackUrl = $this->get('back', '');
         $password = '';
 
@@ -892,14 +894,39 @@ Class SiteController extends Controller {
         $errorMsg = '';
         $post = $this->post();
         if (!empty($post)) {
+            //增加频率限制
+            $user_ip = $this->getUserIp();
+            $ipLockKey = $this->getCacheKey($user_ip, $checkDir);
+            $lockCacheDir = 'lock';
+            $expireSeconds = 600;       //缓存 10 分钟
+            $maxFailNum = 5;            //最多失败次数
+            $ipTryData = Common::getCacheFromFile($ipLockKey, $expireSeconds, $lockCacheDir);
+            if (!empty($ipTryData) && $ipTryData['fail'] >= $maxFailNum) {
+                $authed = false;
+                $minutes = $expireSeconds/60;
+                $errorMsg = "密码错误已达 {$maxFailNum} 次，请 {$minutes} 分钟后再试！";
+            }else {
                 $password = $this->post('password', '');
                 $authed = Common::pwdAuthToDir($checkDir, $password);
+
                 if ($authed == false) {
-                $errorMsg = '密码错误，请仔细检查后重试。';
+                    if (empty($ipTryData)) {
+                        $ipTryData = array(
+                            'at' => time(),
+                            'fail' => 1,
+                        );
+                    }else {
+                        $ipTryData['fail'] ++;
+                        $ipTryData['at'] = time();
+                    }
+                    Common::saveCacheToFile($ipLockKey, $ipTryData, $lockCacheDir);
+
+                    $errorMsg = "第 {$ipTryData['fail']} 次密码错误，请仔细检查后重试。";
                 }else {
                     return $this->redirect($goBackUrl);
                 }
             }
+        }
 
         $maxScanDeep = 0;
 

themes/beauty/views/site/pwdauth.php

@@ -17,8 +17,8 @@
 <div class="container">
     <form class="simple-form" action="" method="POST">
         <div class="alert alert-warning">
-            <h3>当前页面需密码授权</h3>
-            <p class="mt-1">如果你不知道密码，请联系管理员索要。</p>
+            <h3>【<?php echo $viewData['checkDir']; ?>】需要输入密码才能浏览</h3>
+            <p class="mt-1">如果你还不知道密码，请联系管理员。</p>
         </div>
         <?php
         if (!empty($viewData['errorMsg'])) {
@@ -35,7 +35,7 @@ eof;
         </div>
         <div class="">
             <button class="btn btn-primary" type="submit">
-                继续访问
+                继续浏览
             </button>
         </div>
     </form>