From 178e44095141ab805c282f563fb088df1a10b2e2 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Tue, 15 Feb 2022 18:09:58 -0800
Subject: [PATCH] Added usleep :(

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Auth/ForgotPasswordController.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php
index 3619b4e5bfdd..62798745a791 100644
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -87,6 +87,8 @@ public function sendResetLinkEmail(Request $request)
             \Log::info('Password reset attempt: User '.$request->input('username').'failed with exception: '.$e );
         }
 
+        // Prevent timing attack to enumerate users.
+        usleep(500000 + random_int(0, 1500000));
 
         if ($response === \Password::RESET_LINK_SENT) {
             \Log::info('Password reset attempt: User '.$request->input('username').' WAS found, password reset sent');