From 4e1978b534b6db7c83e1d3937913c613f647d4e5 Mon Sep 17 00:00:00 2001 From: Daniel Kesselberg Date: Wed, 1 Jul 2026 10:56:25 +0200 Subject: [PATCH] fix(bruteforce): Don't throttle requests with failing CSRF Signed-off-by: Daniel Kesselberg --- core/Controller/LoginController.php | 1 + tests/Core/Controller/LoginControllerTest.php | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php index e2981bb4665e7..5c11c4bba83dc 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php @@ -319,6 +319,7 @@ public function tryLogin( // case when a user has already logged-in, in another tab. return $this->generateRedirect($redirect_url); } + $throttle = false; $error = self::LOGIN_MSG_CSRFCHECKFAILED; } diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php index 05bea87717407..3c8fbd849b936 100644 --- a/tests/Core/Controller/LoginControllerTest.php +++ b/tests/Core/Controller/LoginControllerTest.php @@ -596,7 +596,6 @@ public function testLoginWithoutPassedCsrfCheckAndNotLoggedIn(bool $rememberme): $response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, 'Jane', $password, $rememberme, $originalUrl); $expected = new RedirectResponse(''); - $expected->throttle(['user' => 'Jane']); $this->assertEquals($expected, $response); }