This update fixes some corner case bugs and a security vulnerability in the password brute-force protection. More details below.
- Fixed lag on some operating systems when gathering CPU load during high CPU activity by moving CPU, RAM and Disk Space gathering to a non-server thread.
- Fixed an issue when
Authorizationheader was used for reverse-proxy (for basic authentication) with Plan authentication disabled. There was a code path that ran anyway due to an attempt to get the Plan user from the header that caused the header to count as a login attempt, leading to an eventual 403. Now that code path is sorted to not run if authentication is disabled.
- Fixed an issue where failed login attempts were incorrectly counted, leading to a 403 error appearing on the main page after one failed login followed by a successful login.
- Cleaned up the error page for blocked access 403 when css resources are also blocked (due to 3 failed attempts).
- Plan prevents login attempts for two minutes after failed 3 failed logins in order to make brute-forcing passwords more difficult. An oversight in how the failed login attempts were counted reset the counter after a successful response (HTTP 200 OK) was sent by Plan. Because .css files do not require authentication, bad actor could have automated their code to make a request for a .css file every 2 attempts. Fixed by properly detecting a successful login instead of using http status codes.
- Fixed ‘Czechia’ not being counted on the map due to missing ISO code.
Plan recently reached over 200 stars on Github!
If you have a bug, don’t hesitate to report it over here: http://bugs.playeranalytics.net - Thanks!