commit 631e9009dfe04ad4695f5747a85b181033c1b958 Author: Peter Haight <peterh@giantrabbit.com> Date: Thu Jan 23 10:02:48 2020 -0800 Fixed bug that let rate be exceeded If you started the rate limiter for an IP address and then let it sit for awhile, you could get the $allowance to build up over the rate limit for a small amount of time. Issue #44827 --- src/IpRateLimiter.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/IpRateLimiter.php b/src/IpRateLimiter.php index b14af3d3..dd69c82e 100644 --- a/src/IpRateLimiter.php +++ b/src/IpRateLimiter.php @@ -26,6 +26,8 @@ class IpRateLimiter { $this->setIpData($keyName, $allowance, $now); $ipAddress = $request->getAttribute('ip_address'); throw new IpRateExceeded("There have been more than {$this->maxRequestsPerTimeSpan} requests from $ipAddress in the last {$this->timeSpan} seconds."); + } elseif ($allowance > $this->maxRequestsPerTimeSpan) { + $allowance = $this->maxRequestsPerTimeSpan; } $allowance -= 1; $this->setIpData($keyName, $allowance, $now); @@ -38,7 +40,6 @@ class IpRateLimiter { } $struct = unserialize($data, ['allowed_classes', FALSE]); if ($struct === FALSE) { - $this->logger->debug("Bap\n!"); return [$this->maxRequestsPerTimeSpan, time()]; } return unserialize($data);