From 6f751d01dbe84b7564c573e20e9264d53b19c48a Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 19 Mar 2020 13:31:07 +0100
Subject: [PATCH] Make the throttling O(2^n) instead of O(n^n)

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/private/Security/Bruteforce/Throttler.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
index 10e5061b9e..f2bdd9986b 100644
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@@ -53,6 +53,7 @@ use OCP\Security\Bruteforce\MaxDelayReached;
 class Throttler {
 	public const LOGIN_ACTION = 'login';
 	public const MAX_DELAY = 25;
+	public const MAX_ATTEMPTS = 10;
 
 	/** @var IDBConnection */
 	private $db;
@@ -260,18 +261,17 @@ class Throttler {
 			return 0;
 		}
 
-		$maxDelay = self::MAX_DELAY;
 		$firstDelay = 0.1;
-		if ($attempts > (8 * PHP_INT_SIZE - 1)) {
+		if ($attempts > self::MAX_ATTEMPTS) {
 			// Don't ever overflow. Just assume the maxDelay time:s
-			$firstDelay = $maxDelay;
-		} else {
-			$firstDelay *= pow(2, $attempts);
-			if ($firstDelay > $maxDelay) {
-				$firstDelay = $maxDelay;
-			}
+			return self::MAX_DELAY;
 		}
-		return (int) \ceil($firstDelay * 1000);
+
+		$delay = $firstDelay * 2**$attempts;
+		if ($delay > self::MAX_DELAY) {
+			return self::MAX_DELAY;
+		}
+		return (int) \ceil($delay * 1000);
 	}
 
 	/**