From 4e14315114408bd3559b0833e43b792c69574fa4 Mon Sep 17 00:00:00 2001
From: pineray <matsudaterutaka@gmail.com>
Date: Mon, 25 Jul 2022 05:44:09 +0900
Subject: [PATCH 1/4] Add a login throttling to firewalls.

---
 .env.dist                                     |   6 +
 app/config/eccube/packages/security.yaml      |  13 +-
 composer.json                                 |   1 +
 composer.lock                                 | 147 +++++++++++++++++-
 phpunit.xml.dist                              |   6 +
 .../EventListener/LoginHistoryListener.php    |  13 +-
 src/Eccube/Resource/locale/validators.ja.yaml |   3 +
 symfony.lock                                  |  15 ++
 8 files changed, 194 insertions(+), 10 deletions(-)

diff --git a/.env.dist b/.env.dist
index 9df4d03ed30..02b1984f1a6 100644
--- a/.env.dist
+++ b/.env.dist
@@ -56,3 +56,9 @@ MAILER_DSN=null://null
 #ECCUBE_RESTRICT_FILE_UPLOAD=0
 
 ###< APPLICATION CONFIG ###
+
+###> symfony/lock ###
+# Choose one of the stores below
+# postgresql+advisory://db_user:db_password@localhost/db_name
+LOCK_DSN=semaphore
+###< symfony/lock ###
diff --git a/app/config/eccube/packages/security.yaml b/app/config/eccube/packages/security.yaml
index 9fa9e42ea7e..3facaa912bb 100644
--- a/app/config/eccube/packages/security.yaml
+++ b/app/config/eccube/packages/security.yaml
@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     encoders:
         # Our user class and the algorithm we'll use to encode passwords
         # https://symfony.com/doc/current/security.html#c-encoding-the-user-s-password
@@ -22,24 +23,25 @@ security:
             security: false
         admin:
             pattern: '^/%eccube_admin_route%/'
-            anonymous: true
             provider: member_provider
             form_login:
+                enable_csrf: true
                 check_path: admin_login
                 login_path: admin_login
-                csrf_token_generator: security.csrf.token_manager
                 default_target_path: admin_homepage
                 username_parameter: 'login_id'
                 password_parameter: 'password'
                 use_forward: false
                 success_handler: eccube.security.success_handler
                 failure_handler: eccube.security.failure_handler
+            login_throttling:
+                max_attempts: 5
+                interval: '30 minutes'
             logout:
                 path: admin_logout
                 success_handler: eccube.security.logout.success_handler
         customer:
             pattern: ^/
-            anonymous: true
             provider: customer_provider
             remember_me:
                 secret: '%kernel.secret%'
@@ -47,15 +49,18 @@ security:
                 name: eccube_remember_me
                 remember_me_parameter: 'login_memory'
             form_login:
+                enable_csrf: true
                 check_path: mypage_login
                 login_path: mypage_login
-                csrf_token_generator: security.csrf.token_manager
                 default_target_path: homepage
                 username_parameter: 'login_email'
                 password_parameter: 'login_pass'
                 use_forward: false
                 success_handler: eccube.security.success_handler
                 failure_handler: eccube.security.failure_handler
+            login_throttling:
+                max_attempts: 5
+                interval: '30 minutes'
             logout:
                 path: logout
                 target: homepage
diff --git a/composer.json b/composer.json
index 0471325f240..f7abfe8133f 100644
--- a/composer.json
+++ b/composer.json
@@ -79,6 +79,7 @@
         "symfony/process": "^5.4",
         "symfony/property-access": "^5.4",
         "symfony/proxy-manager-bridge": "^5.4",
+        "symfony/rate-limiter": "^5.4",
         "symfony/routing": "^5.4",
         "symfony/security-bundle": "^5.4",
         "symfony/serializer": "^5.4",
diff --git a/composer.lock b/composer.lock
index 88da53c5a31..239a4454ae0 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "00ba2149f4afb427ed9129a766b56cfe",
+    "content-hash": "fc0376b4e13336e65d38262bb5453599",
     "packages": [
         {
             "name": "composer/ca-bundle",
@@ -6663,6 +6663,82 @@
             ],
             "time": "2022-02-25T13:55:17+00:00"
         },
+        {
+            "name": "symfony/lock",
+            "version": "v5.4.10",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/lock.git",
+                "reference": "41a308008d92d30cae5615d903c4d46d95932eea"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/lock/zipball/41a308008d92d30cae5615d903c4d46d95932eea",
+                "reference": "41a308008d92d30cae5615d903c4d46d95932eea",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.2.5",
+                "psr/log": "^1|^2|^3",
+                "symfony/deprecation-contracts": "^2.1|^3",
+                "symfony/polyfill-php80": "^1.16"
+            },
+            "conflict": {
+                "doctrine/dbal": "<2.13"
+            },
+            "require-dev": {
+                "doctrine/dbal": "^2.13|^3.0",
+                "predis/predis": "~1.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\Lock\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Jérémy Derussé",
+                    "email": "jeremy@derusse.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Creates and manages locks, a mechanism to provide exclusive access to a shared resource",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "cas",
+                "flock",
+                "locking",
+                "mutex",
+                "redlock",
+                "semaphore"
+            ],
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2022-06-09T13:29:56+00:00"
+        },
         {
             "name": "symfony/mailer",
             "version": "v5.4.8",
@@ -8339,6 +8415,73 @@
             ],
             "time": "2022-03-02T12:42:23+00:00"
         },
+        {
+            "name": "symfony/rate-limiter",
+            "version": "v5.4.9",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/rate-limiter.git",
+                "reference": "77bbe1e96118e117b8b1fe6bed57dc1b5dfebe45"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/rate-limiter/zipball/77bbe1e96118e117b8b1fe6bed57dc1b5dfebe45",
+                "reference": "77bbe1e96118e117b8b1fe6bed57dc1b5dfebe45",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.2.5",
+                "symfony/lock": "^5.2|^6.0",
+                "symfony/options-resolver": "^5.1|^6.0"
+            },
+            "require-dev": {
+                "psr/cache": "^1.0|^2.0|^3.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\RateLimiter\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Wouter de Jong",
+                    "email": "wouter@wouterj.nl"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Provides a Token Bucket implementation to rate limit input and output in your application",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "limiter",
+                "rate-limiter"
+            ],
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2022-05-14T11:02:49+00:00"
+        },
         {
             "name": "symfony/routing",
             "version": "v5.4.3",
@@ -13888,5 +14031,5 @@
     "platform-overrides": {
         "php": "7.4.0"
     },
-    "plugin-api-version": "2.1.0"
+    "plugin-api-version": "2.3.0"
 }
diff --git a/phpunit.xml.dist b/phpunit.xml.dist
index 70fdfa5ee71..9cf5067dbdd 100644
--- a/phpunit.xml.dist
+++ b/phpunit.xml.dist
@@ -17,6 +17,12 @@
         <server name="SHELL_VERBOSITY" value="-1" />
         <server name="SYMFONY_PHPUNIT_REMOVE" value="symfony/yaml" />
         <server name="SYMFONY_PHPUNIT_VERSION" value="9.5" />
+
+        <!-- ###+ symfony/lock ### -->
+        <!-- Choose one of the stores below -->
+        <!-- postgresql+advisory://db_user:db_password@localhost/db_name -->
+        <env name="LOCK_DSN" value="semaphore"/>
+        <!-- ###- symfony/lock ### -->
     </php>
 
     <testsuites>
diff --git a/src/Eccube/EventListener/LoginHistoryListener.php b/src/Eccube/EventListener/LoginHistoryListener.php
index e46ff27203f..b25d31f1557 100644
--- a/src/Eccube/EventListener/LoginHistoryListener.php
+++ b/src/Eccube/EventListener/LoginHistoryListener.php
@@ -24,7 +24,9 @@
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
+use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\SecurityEvents;
 
 class LoginHistoryListener implements EventSubscriberInterface
@@ -74,7 +76,7 @@ public static function getSubscribedEvents()
     {
         return [
             SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin',
-            AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure',
+            LoginFailureEvent::class => 'onAuthenticationFailure',
         ];
     }
 
@@ -103,7 +105,7 @@ public function onInteractiveLogin(InteractiveLoginEvent $event)
         }
     }
 
-    public function onAuthenticationFailure(AuthenticationFailureEvent $event)
+    public function onAuthenticationFailure(LoginFailureEvent $event)
     {
         $request = $this->requestStack->getCurrentRequest();
 
@@ -116,9 +118,12 @@ public function onAuthenticationFailure(AuthenticationFailureEvent $event)
             return;
         }
 
-        $userName = $event->getAuthenticationToken()->getUsername();
         $Member = null;
-        if ($userName) {
+        $userName = null;
+        $passport = $event->getPassport();
+        if ($passport->hasBadge(UserBadge::class)) {
+            $userName = $passport->getBadge(UserBadge::class)
+                ->getUserIdentifier();
             $Member = $this->memberRepository->findOneBy(['login_id' => $userName]);
         }
 
diff --git a/src/Eccube/Resource/locale/validators.ja.yaml b/src/Eccube/Resource/locale/validators.ja.yaml
index defc2b2894d..5b28a06919a 100644
--- a/src/Eccube/Resource/locale/validators.ja.yaml
+++ b/src/Eccube/Resource/locale/validators.ja.yaml
@@ -22,6 +22,9 @@ Invalid credentials.: |
 Invalid CSRF token.: |
   ログインできませんでした。
   入力内容に誤りがないかご確認ください。
+Too many failed login attempts, please try again later.: ログイン試行回数を超えました。しばらくして再度お試しください。
+Too many failed login attempts, please try again in %minutes% minute.: ログイン試行回数が多すぎます。%minutes%分後に再度お試しください。
+Too many failed login attempts, please try again in %minutes% minutes.: ログイン試行回数が多すぎます。%minutes%分後に再度お試しください。
 
 #------------------------------------------------------------------------------------
 # EC-CUBE error message
diff --git a/symfony.lock b/symfony.lock
index ce4d6d40df7..ac247a3e91c 100644
--- a/symfony.lock
+++ b/symfony.lock
@@ -491,6 +491,18 @@
     "symfony/intl": {
         "version": "v3.4.1"
     },
+    "symfony/lock": {
+        "version": "5.4",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "5.2",
+            "ref": "a1c8800e40ae735206bb14586fdd6c4630a51b8d"
+        },
+        "files": [
+            "app/config/eccube/packages/lock.yaml"
+        ]
+    },
     "symfony/mailer": {
         "version": "5.4",
         "recipe": {
@@ -587,6 +599,9 @@
     "symfony/proxy-manager-bridge": {
         "version": "v3.4.4"
     },
+    "symfony/rate-limiter": {
+        "version": "v5.4.9"
+    },
     "symfony/routing": {
         "version": "3.3",
         "recipe": {

From 5cae9730e0248561e0b6894c1c42ee43acb1bcd5 Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Tue, 26 Jul 2022 17:27:15 +0900
Subject: [PATCH 2/4] =?UTF-8?q?Bundle=20=E3=83=97=E3=83=A9=E3=82=B0?=
 =?UTF-8?q?=E3=82=A4=E3=83=B3=E3=81=AE=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

services.yaml の設定を以下に変更

```
security:
  enable_authenticator_manager: true
```
---
 codeception/_data/plugins/Bundle-1.0.0.tgz | Bin 2092 -> 2087 bytes
 codeception/_data/plugins/Bundle-1.0.1.tgz | Bin 2073 -> 2078 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/codeception/_data/plugins/Bundle-1.0.0.tgz b/codeception/_data/plugins/Bundle-1.0.0.tgz
index 210cec1b7c5daaa6c142f4a59620ae0d1733db38..b565cc186a49cf95a5744b7a54ac3ffb73bbb7e9 100644
GIT binary patch
delta 2082
zcmV+-2;KLr5T_7-ABzY80000000Zq>ZFAx{63%D;3T<|#fUUt`1927EnY)BxYEqk>
zP(b!-Z^*e6TYzSa?3L{h?kfNNT9VCMAS5}Gt-I6n0fW`*ZmV1BM>3}=^8->jcu7<N
zPNN~NmeZ&%UvnH-HK*FJZQHV}gQ{iM9qRx!Uev1$X`Enxj?e+a496snx5@2l|1ZU<
ziod$3Pcs@vd$l0~d{nP*i@%7rjDOv(H)>T8|3;&6bbzXR^<oSD&*T5|Um)6sQTfS0
zKcW7Z#%M?bg5Vlqo}h4u+O2Zy^0W=@LZlT&Gfqe2r0A9MCe*qx-<|hAn&>15P*=3Z
zs7qqPZ-{SyW*x^#5;ZH8>2zumuk5AQ#PmY*TU5!~KZP76V}gb$=<sqY2s0lA)FUhg
zr`Ry$6P(bHy+ctzARg$3lBw)>e%5M#=?OR06C`7tpec@#PveBs>og%gn$lzpE%0=4
zm~xMRA)g2jD~7@Fgv1eso1GvXQ8rMsA-fzKMjEewH+>`#VLoBr?2LUQo^Wi?3MUcR
z=b23YvxDRKSgPpFCc}`;q+rMhOSY(C38swj)0752;oJIthGG4Ma7KcA{(1q}M9VW9
zk=q0;<u{Fg83+)i*D%5`@JyOU*TQ0P-2wE*%kPwAH`Q4xz#Lp@HdV(ZIdCGES==pu
zz`nnKJS;^9A-q3Y#S-)vUGI!L<IkQZ|FhVTdwVAXkFEb={jbXU->|E7UH@MLo8q6(
z!hI#eqvBt;8&1usRc(;7jvUSZUI!1x|Nf%<EN-}q|2a-=HU4%DRszlcUIUu{?c#qA
zk-Ur*K9<sD%y4-^ow0=QAz1y-$l(gvTh@<%=mbV;0-9p9(e4%!81c}9Y<~(3d=trW
zi_!ZPwl^Y42Xh!)Fjy=QPli4dH3`Gl0r3kN)f1pYRQ!Q57juqh#e#aI!n?WpQfbL%
z-eK9`7{?#UkTNPBq*yp7c$DU}cyMu&CS$uNQj=%5+BYyd=a3}?x(`l(oCXx`fDW90
z21yTck;Hj(;huH*<USeRf9e->;&`JA<qsZA3f{*fAkV8JcgE_sIj4qcDrdq=o&Y_8
z|J5xE?pw8LL)ZUT!94zuyF)s9ku-QD{{zxzTh5UU@vqnFRUQA=z<T^e(S~vxn=?EK
z_GDuR|Et%X##;QH>XD`S-)kTyUdm~IGHXIvP{r8AP@JIjP!A^|cPH@NBf^^~;VChq
zypqRFSw{%FDYjdJ1iBX|m;KMSD?Tr}XMaEGpIv-$d+qLT?XKJDp8a;xZ@a&=e=jvr
z;q7;MVr2r!5R}ICDSunRQB+aP>myEZ<s_nYyAld#DiNnQI3ebDGAnE`+imxME-t&R
z_T1v-DKNrk8<cG5A$#pFt?us~`HY#3pS>|=BVta-hk{`Qvf#T?o$X30%+-+b5XLy-
zKn`x3sC#ifSE&xmM2C>me@dFW(oxbhH4-j(CLZe<!~eFhNtqh~Cyd4%QoM;6Q1H1B
zFi$><q%&KMt_=p5$h!ZC{x&9mkWE1C!z{fdS@$HlK^`Z*$TS?pXv8r~maNKDRC4Z;
zoGay;Xb9iQE;HhxrXlw?E6-b>q!QxBNer8a@H=6f^=2Zj6v>s#*|S6UO6cX*WU~Pw
z=Zfa1C>Q$x>d|Dg%Di>MSn#Yu+|NZhNw#Oj15+~3kXZ8Cg-U#bX&@YbYND?NPOuNW
zzc7XMi4?BpLcZd}bCD~hD}qHy5@e4o6#AhDn?IH(wUL)MCGjKdQb(c>M{G6@gGnWd
zxr1^c1lvs!lyFKx$4KoSJH2k%a!~Pezu$pj@?edmBvyN&PR!+j{NPt86tHRzy5x_P
z#K|WqHk<FcV7&gS44T4!p!l#HS1HR@oDHgC*b&BLAG*}eV~@`D5{SfPADS+sAjCfL
zKfy+IFZwurqMB!ChR6sgCyS(znpV8Yu9-*cj))@?P_X($59HHx`mZF>(-o`)`sv*l
z(b(BncHSDM#SE7RA5HW{N)90Y&LA@(eppWS<G#K%i;vRyS@p?(b^h7pZ4X%I|2#|+
z^1Nf-t=Pf;t4{4GJO8bTKY)ny{~BxqH2;4EWaqy=fvo4GD2_^jA15;?%kQny*7MCS
zqzNp1gLAQ1ixW+eJSi7DhP-Y09_ZmDNjX~_Fcvq6p*Jf1@-w#V=X_?$SI5OdMyhkV
zBn}4)mAC3-(Z&9Mgfdrl1d2ZwDJ>}x$8^BL1Hy}63yP?lD@5H~NSG_6Ojx4KC$}f^
zAqrO|V~cZ={7J{uw`bd*D_XO=PzU?5ap=dOt8>xo=WWNv-SHz9sP*}OEsrDjy8!H(
z|3?i+&40VmfStdX{|&3I=l^R!zyHbK|6~i)SH&YY`~_%#u>4n=W>dX!dH(^nAvg#M
z;+xoqUA>bEb{_aEf%^^H6&qKNnb1#!Czf=Gl=&?V+1|A)?4JMm``;s&_>MULt=9DX
ze-(&AdnjIg9yZZoHZijza40hQ@J4K_LnfLnvuak=U7y4rr}9`xv}6P!d;f@_X2Z@&
zNeU{VbPLsgW%UwIHF4O@P%c_kxu4rtLS@PzHlhfM{{OHu+aRZEraG&$%c^FUGpB`U
z)vV>BOS?DOWSMr}G$q&I^KE6saWwuTD8oXiMCxD(MDC=M<Tl}W;i6bDgw*L`h~O^u
z;ht5svY+CtDw&n%Z<J$b{W`DMhuPYYFAkelhrzE4U?(_~eZ<L!{tuj!0SF%rhQ>zx
M8=Xd~TmVo206;bpfB*mh

delta 2090
zcmV+_2-Wwe5Udb?ABzY8<=@0&00Zq>ZFAeW5%y>P3e=Yj<(r5SsTa=3m$bH`Og!g{
zJ+ghBYvgiZ5|WTmAP*!hs~!LME&x*RvTUF1o3?m9h!U~bU1As52cV8K7KEg-_mZdr
z+(tuOZMRXKzZTfDYi_mSIF4=GdsW-1yY?Pxyr@?>vLwZS9HBji8BR!&Y?9m7{$Gk?
z6@PV6pH@7KcWOffxLL2S#2+b$Xd@B-x>Ik|st|a)QLi=kP<5wXY{36{{D1l@MB6Yb
zKN{#qbUCC6>eG-QxW<^LDC(n5yWGAy?m)W`X-Dyd)4?z;`3FT4YM)u}PA@-N=qL<P
zSF|RmOA^9=Z%JU~9fxTew<?wKcx(~B>}NN`@+0e8T*=!%MI5C=g8CWg@Cz#lvjBzE
zCoBP{SU=(;oYIKBLvctT9_W^mvFvwx((Zh@5N@g`NQXE@W1OIXCMl;kSxN#lrs)t`
z;OUYm<30gH0TCWn41?hjNn#8)&%<m$Sx?P|{Bmf27+JF1^pV7b1%&yN6ZVbx!m(aE
z8pU9r=Q735bDSiHQpLq&)Q{Li3Py~ubb}g}V#)|V&S)4AzNznL7}lQ&XCz$l*AKxa
znxEN-+@)ZtxM}>`5c4n2ZeWCA;F&ayZiL0svIFRiU)(v6-Bf3(0CRAq)lwbj<iLqS
zW_GuK`~e5S{IHZ5gm87VN(azibiFt3jX!&u{Lf-d?(LimJhuLe^}j0Xf5WNPb^U)0
ztc!m!3wM<WkBWcYX}C4FR&_wmZn~QPy$&9X|LUUrEN-}s|G91r&Bq@(HCtRX|9g38
z{<n?)Jw)<yR`^&-movlp33b9!!uw$LkCDTF1+q7<AJGwv)Ce>sXsz81BrxWY583_{
z8u%ub<CdWJ3v6#d(sRsVaKT{7B)$xNE@}~mZ$c87In@)OeN_4jWgg}nPfDhGB=g-=
z{lUSU&7#A+!68mQl0IcrJV?nrC3uh(w77S6l%+%GLZl|oZ*^{AbWR~l2z2iq0XYqS
zDck`aI1AGY$VHMA&E|@A`Q!oVuRiq)I&rwxh4Kd<CI!F510c_fBKOAPw<)KFX)0&J
zOP&Bdf&bNQ8}8e+YD3rmSHU#?kh^_4c#$-CJpZdf_+5y9y(a3vj{nPJIsT$(L%B_?
z2_A(zvayB#)$49E=YKWFZotM5_<zlR(fsc<kPtuPG@Z1dEU04aVJJ>edZ>@nh<hV=
z?g8N~)W=~$jJPP}NlO+I!fs2QwqSwY+0oVIXU7wtXWf&399^EAeeo_j-CsLh@4S2R
z>(OP$`?>SmK?|90zsn;l3s{EWG+sdY+X{~3ilSa0af&NPF|9k5NO)6;IlaYyDY3qj
ziMhdSw{vlJ)opjC7O#$h5<c6Yq(cwc>wIZ<e><1YnA`ZtA7VBj)`)yC4I`8l-;?Sb
zPjX?dhKxrr$T0_YaMwcJv(u?cby_AmM4bLh^4x`vlBcPW@W3<iSkD;#x8^!!UJRr#
z9&*U>7Gl7`r$RtI`6QOkY&5!mG#Fqa@BRb&`;b670k@Cx{E}?lm+S`loCG4(Ahpnd
zW0uZYmAR<oyg4~f$`$Fj#f*5Uam0i5%8S+~sf4(3lE5w^`cBw-y}5`dMGEC9&$jAb
z2)*2!tT!O!Jkk6V<zgd1eVVRUS+uSh3!ayV)m)U5WOG(LFeQr&NhGm<ovFmPn1;fk
z7W!&(f&(D_<`@<zVqQ;$0!50aBG*b+42zOv$Ud1V3?d(Pf2>Gqqo{96;s@BK4n!Z0
z*kl-mqe`4`7ZpMX_M0Lo(U^jcf!aQvUv$g1i%Op_FVA6^d{`tYNz`WOJmK<0zV{1M
z3RpIKUGjTIlJt`ln@l%<T`*pMQwA+zP<+^~r<CO@&Kgw-YzY&x3tejKu|wxBQi#N8
z7n-i(Fv0-|KEY0PC;B*jqMB!ChR6sgC$prGnijmtuenFdj)*f7P_Xz!59HHx`Y$BW
z(-kZP`sv+g(b(EocHS7K*$kH_A1(AnO7<ZBZZ9_>e%NmQV^!aOlEp`9{H*#EI{$3;
z_Q$cz|9O<9<ax)u8?lA|Beyo=|Bfx*|2G{+^Z!>te*PN}NP136;;0npaXNvj{N6s;
zc)r<%G=X)mcPiFuaiS@bC*xwrP_)h813jFi8E3Nt#?l%w^hTv$amJSaoK8&n>bPX)
zoVs93;&9Ncyj3TEiyjU}lzFlvF#M^=!JHCtOa~-9B)s(1R6N~U;OW*(!dl>D!V+Zx
zxjT{%VO}2?8=RBePdcW)J=^|N(URSnI@pd4qaXoY=Vup}McbiqfB1;?X?gzN$m7V}
zE&$u+f3xAL`R_CuZnY`qe@z?%==uNh(C>eW_dodp^;OY-$Tfcf>dpU^rqxn!T;6|x
zT?h_CQ+yNKu<LhH!PWzRC9vACS+Q~bm<jzv_+m+iNLk;Ki0xdv!uI)Jy#H-B8@3Dc
zzt(j1{C^dQLc1?seeSo=em*htBCszqdH+`Isv{<vZL4Zk)!l$3KBw|jNVMbxA%Fjf
zpk~9yNl6NSDxq`>)n)Y(Pc?Da%up^`Rk@$qS3+gVAU2{1ivIs}a@!!MYNk4>bIPh_
zmUE|tXw|9}qH~)!*<@Qz(KIGE;PYK&z;QhMJuJgQs6^^u2}JItljJVtc;=#5Foe|c
zY>4144d9+#wez3is4AV5r*D)KX#F~^*!%g~P%I7*>sE)}FJLF!mwm*+hyD+olK}`C
UlMo0748~gg2jp%;bO2BQ04SmyMF0Q*

diff --git a/codeception/_data/plugins/Bundle-1.0.1.tgz b/codeception/_data/plugins/Bundle-1.0.1.tgz
index ae641aee1338a0245ae104c1206420a307c58559..6116d88bc8f5d81730ced2d189487eb12e650375 100644
GIT binary patch
literal 2078
zcmV+(2;ui1iwFP!000001MOOEbK*D>&S(D$Ejv@d)?l!Ct0FsdmoQ9CYO@mxlD*m+
zaxTRdpcx~3Wjlns%74F>Wb+mXAxE-xcX~cxuv*=1bxV5G<}_iRPs&Fxi3*@uuZyeI
ztXGz=8IG)Kvr@Bb^=idFs#tcd**rq^7xgMd62+J!bi^>j5s9L0a=Y69OL3~=uP*A-
z49DR?ZHNFjYPD_g7tvmdzXkEH*XxZVR5_>@TkwA#|DXQ?(Kd|oPX_u4U5;slhSVnr
zt|8_z3WliDF14>tJJ2pf+CezubTp0&ZZT^@?F;kW`Q=9wo%lZLiPi}9NJRK8@yxX2
zIF7?sxjdatP2!f^<c64TV15hBY5S*uqj*fvFaaHIW(8s9A)mU0Mc@=027H2J8nAaL
z^a;cR-BL1@{m#$YoiBairh0;SjAJy#5%Ophb9$4+#6wdWkD&#gE(#Lv5-{Wu;bGY@
z7@m+Q#Bj6gCnL%RYBr>oW5Y<I^`?&`B+Mhsot?37#1)PW+QB3Q`#hD&es*yb9ZMDc
z*<={7nG_5dVeu9<EXI@(ewt9<BYa!m&oHdN5YCAIz+cw~n`n7vBXSpmrR=8hF9QL>
z<OW6<2A)aN=tfv9tUG|-xY?be?4~+P1(<^?t(NMzBnM7pGK;&V57_gTho!(Egbzon
zP=x-X>%DPr{Mpmwe-;~Z@8D!$pZ&jL$@Sl^)b#%U8rT&7Y!)6W5uOzPnq6;Jn^oIt
zK>QocW>v@kHSlQsA1=zz;)c8Up9uC!{Ozisgqr`o0yO{I#s3~7c_}M=Dy2)A;qrt!
zV=>`Fu=<~o!xgf(tRK+{jMM})MQEelEhI4HfeYEb4-I@1%5jU(`xUk~B5@aU7+f$|
z$P-tFJ{2_y!#6(h@+s95phHynfieekj%S6udZhfjx%y&p$!6AJ+29yQAIXq1DjuYe
zKPPyUWVCp2agxMiyDw6cr?)z{FgoXuB?P(;PJo>H6z+fyocM7ca*;$?bN+#K`Q#oM
zK78sIbmDlU3#AV(ObUL9M?jueMedE&Z*xu!(^Srcm#hHo!T)NO1^2CLrEcl{|1~g=
zKjiL^j$R}Up2+`z^x1Yr+_!2~Ti5?y1?%w_n>K8>kvYQ?|3Ef&@V{EESzn8PQ(QFv
zdj&+qO*oBbE!Y;+X6#_toM7vrE{+54OyIdkgtt)46JmtfP9C-7K0?@Sq0<&5(78Cd
zy8LWA;`5?+_V<&^vx_fIztj7z({sALv)@iGJI*hi--|7jfBRiltV|#og3>r1<!{S4
z49kjneZ(;?pM<n#mjmHUIpp*f$He?jX8A2<d!7EpRj=KdTf902M)+)lk_|m(uk)qd
z`@JilF}3ltJH~88%nA9BHw<5H_>NR(JCX`>HDo-1F%CJ9gS!^$U7XKVs$!Yw5ODfW
zNpn{^N}8rd!U503V?AT|-{v<db3)*R;g~~;w-5sgJ{JP!$!DQ-W~<S)!2lC!_aD*U
z#ssnnsC|&8mn7@1Bsa+A#1ol@{RoXXX7Q3$nTkrzS(0<4Tni21JK1GMJk&Jc-e%=l
z>s~4$Zk$ALhzPzDwpni~;z*H9xtu*abgzV79!)kI5OR)a-bcAO2T+&Bn^k758^(gC
zJH*3Wl#^t8Ry;B#vkZwOuU)9bx0w3Ep%(g@=LCDe`}0#+pGf|CF61drJQulEx<Xi#
zBtdq`LZKJ9aQI_cQXAR!rX+rZQ|d_c;fT$~fj=pS5pSYQ2*Ghv1SObK&@ob{$8Nt@
zvYM#y`SP+0!{ovmNlB#6LfweVg8blD*eGDt9Q4Q^35nuQQfxLqbHRB1RT(seLGfWV
z9i=Q?aW<%m;6xaaL+DZ`j{`c_k0BD1Luk4R{Q!H!`veEogXrUQPc_fZ43QDAoh*_<
zYFhCoy`~<mJ0eOXpkVch9?7TY^j}G${S~YPdjIZ=Xzc7OJ8uosVus7YM+<$Ck^_i;
zbC8-4Kdff@<DtGai%-({S@p?u{@LX109fb$JV;{lyfW`r?BM^EX0?&lf2+1F-~TkK
z4O{d7*FakT^$27=Ck0U|1%4dQU|W7~6}Q$mdypou@D0wzVl66~B6$)nP7GPw@;%VQ
zNt|%DC@>Z_h@m$s{jwTc`g1-r<*VaDJ|)!|T@uB?eEF@aEIQbmQ0B;vK=J1y#U&-8
zOb0C7C%o`AuZX(2Le$NLgt<b>geA&6a(5yhB7a>pwm2urpL9%pd$#?#qBXk<b#NXV
z2VMlax)=S+tnJviKYqdjwLbrEWI6J%3&5`V->5g${I~0kYNaaXf4!pr|MM!)?|-uQ
zKj{MXRq@CTe*qdS|COfIQg2+|e}H2M_Wiv0CeC5k@1%mA1%D;*uwlDm<N7HRdQZ4w
zNry<8-=csWT)V=~`CqNi=f7RAiTZD)s_TER0<qEN#H-I-3+2*@nQj6(k;%DRajXuQ
zXtvCXX{oy&iCj))SxB^`1R;I@h+xl#larDZR6^+%s!Qr6o@(N7nxR~@s_lMmUkQ~c
zgV=~oQ1t(YZB}w>ZspXTscLn0N$r`X)M+7FF{_#A(&<e$S*D#eP00=Td{-WE9FG6+
zORx|sks4S6k$dSRxr;eoxF{A3A$7VKBDhOExMx+Y^rxs*#k11<jdBF7Uvue_kgW-u
z7KOpDpx)1kT8IAEn}&vlhK7cQhK7cQhK7cQhK7cQhK7cQhK7cQhK7cQhQ<@{Z;{^I
IjQ~&p04>N8+5i9m

literal 2073
zcmV+!2<G=6iwFP!000001MOOEbK*D>&S(D$9XnHyt-;vlt%~f-UBWOmsm)GOK=x{H
z$hj0-fM$&BmF*DjD*ydjlFeHnBw3QJyVLUlgVpM8t6S<vGAAkX15!D7Nmzhpy)LeH
zvu-V4a~#;!rd4xl^{V9@ShiDZHV;t!MZL<9#tG&K9WcyrOyYQ(+^+WjQk<yxtBd+H
zqj9uX8zR7sT5VhWMYNaVZ$td+^?Ks~S$p+j3;xgJ|I=R~+J;g2(Lg_<{+PySNCSf4
z8eyKGaELnXa{Kb61MNbj9Y!-wN8_aA9p+7_eQv%x>wh%SaS))cXpK>q#Dw1v-^@CW
zlO$?YD%0uIBwpD|uZih}=C`PlwSNjZO2z~YQ_$h%RuE=B3aCd|3{J6O$R{|VA$y0S
zfIvLZ4JA|A@9ebQ`O*_^swYUsI6+e!BcH|zr`Kshd^DxW7+T=z;xOeN0Yg3!9##y4
z;R%T&3^y-=bVS)e&4%o9WEg3@-t>_~g!zPdvs3nsc*3zkJDfydpJy`p&kG#KM^Z&^
zHW`L&CIv%ASh7V8OE6`GpQJSK3E$TDGYsp`gfkM{^VbW&CR(1^h}<S%DZgp_+dzOQ
zy@nBnfoIY*x)v5o>kgndUVi6Lc2k|D0?fgcR!enUk^?7lnZ@1m2kiUH!%|`p!uz9D
zI)whB>z#3D{Mpmwe-;~ZZ|`K_DfQp7<@)bfHC_K-1DoQX&%%8r!lU9}bL!1%v+CFl
zh<~Hmtm^o`1|E$6{YCj%+;A8F6Tx1Izf%>IQ1ic6faZU@_}@b$FJpy|rF0oHT%J&;
zEFpXdR{t0|Tp@eQ`VpPLNKHUfj5gZcLINWmdXVi;p@DBAIc_m}zryxLB)PyG1{VyL
zio}zl&qPha@O41^Vn+1@=n$3uLYa#>$FovVJyP-AT>atUlFhusvcWNqKawG3R6Izj
zct-Fj&1v!A{5Va<PEVvJ&u(>YV06wPO9*ry90NHGDBJ-ZI1Q2><RXdl=Hfl;^2vQN
zy#LfM=)}=R7s?+zm=wH^M?jueMedB%Z*xu!(^SrcmplP_0{^SoHr%(XR^8V1|1~g=
zKjiL^j$R}U9?$=(jwAVh4Zi63zXsOhFN!vl+t{4pNw6myJNRF%)@;n<Z`VQ2Zd!Fm
z^S{?XOuUrSWY&VRpo+1Jp*TV5p&m{`?oQyjM})V~5C<_aqP&#HEm=qiyD4?rf(5$g
z$Cv%jjw?RTyQlv+?w_82aeJNaubr-Y(LMe3xZiPq?)-MxLdCb=<&l*MEJJV_*Qfk#
z1xHauQLm3U!Ik5P)|^Txys1Q--r$6o-^r}F#ca3JJHPC<J9CSdCqN0GZBWvohwOE}
zw7b7u$Y;!K{N#->8xeCtJ`@cjkQLvR>Ks>cVXlUZhcL(y2X=7VLf!MTxk`0fCOU+i
z{!8-Qm5!39sgZEOGx1o@82-1#P0HK|NMSVQkmD`HfP>G4fO_&-B%Rr6bZs!eMArQW
z^!G7=bOLT4X89%Ax+mEU@;LEDszGX@5yvc9vMO^?$+=5%u9VBuafcc4P}7k6o0aFS
zPf`hS<0OV%MEISs&3ZEtSBm7y6Q1tWy%Ku4H`#1J$ho5VDayr0fO<69tTJ!iFcv&3
z5%+UZPLl0e@xYYKGbEP8cA*mAU>XRATIg$$6YK-=FHT{BBE_q@kgrJbT;xjWieOQa
z4A~<Kg?{M4?vLe3ZRGV$N&EoY)RE}J5u1&}U{Z-<-bA?&g8illN;svUW2Cl^7rk!T
zZlcoXe*Xf7$%93bl2~nqE@CcE<Ojb%rGRB~&?Ud8Bu+j_vDtjn1>^NMWzZA`#fRN=
zm9lKb*`O+hEn!Udp-XK&_UK$Mfk;gDq3JRTLhKX&6YNy?qL0%js(E&1h>U=8vPcT4
zX~moDnt8PDh&Uqw1*=c=Kt4UE|4I@)UBODApWb~Djh%gE=dEE{%y4<~(L!IO<N)H|
z9AqZM54)NDxUX-`;-fTvR(*1ve>Qvj<5=haJWLbvykp+2*unp;X0@@l|7%nmn*YBF
zvh!b`K+<zk5=W&#kCPcx<@fgC*7MCSqzSBhgEO&KixW+eJSi7DhP-Y09_ZmDNjX~_
zFqSrmp*Jf1@-w#V=X_$ySI4Dd#;J3*Bn}6QmAC3-(Z&9RGFNs4hCdfMTv8&A>41a>
zgqOY+6;C%;c)GceFjqL4utb?pZja?d6t51AEzU{qCmmDYo^5}wXwB|I9c;(Op&x^;
zi}PMTZ#y#Xjvlc-t<V2!c^tXl1z^|wZ`7M={yX(X)vAj5U$^xCe_jRp{ZIb>CtIMt
zDjK=rFF=FkztXf?>W$0$53mctK~NOm#5U~eom8;%z+Va6Z`iKbxO&Wlej+@vq(h|4
zZ*j=>u3cg0{IAyM^WTx@e>JOW>G}T}5QVlNUVRo?sE|#}tOyiDCKqnRt~z9**)}cH
zR(E|8dz{KsA<>c%gzWtzf|?B*CnYJUgwickm(@!=)x=>lL%C>G<$i8o36&{>*oY!1
z`v220t%90c1ywWEQJqs(HM5*KEkrG|nu{)N-ei+)I(gHST!YWIl@Z6$`1ha;3!xIJ
zfh7>RlTMP`gyV&aV!;qnCyOD1yVQq!wq<8O#Zgr<E6?93$I$w<kSz)Mny_h682ke2
zgMv8f(EobV(9qD((9qD((9qD((9qD((9qD((9qD((9qD((9qD(cm)0fd3rr308jt`
D-3Bq%


From 2417e5ebaa74952fb67b8d959228746aca7670ae Mon Sep 17 00:00:00 2001
From: Chihiro Adachi <8196725+chihiro-adachi@users.noreply.github.com>
Date: Mon, 1 Aug 2022 16:35:23 +0900
Subject: [PATCH 3/4] =?UTF-8?q?symfony/lock=E3=81=AE=E8=A8=98=E8=BF=B0?=
 =?UTF-8?q?=E4=BD=8D=E7=BD=AE=E3=82=92=E5=A4=89=E6=9B=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .env.dist | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.env.dist b/.env.dist
index 02b1984f1a6..8913c138131 100644
--- a/.env.dist
+++ b/.env.dist
@@ -30,6 +30,12 @@ DATABASE_CHARSET=utf8
 MAILER_DSN=null://null
 ###< symfony/mailer ###
 
+###> symfony/lock ###
+# Choose one of the stores below
+# postgresql+advisory://db_user:db_password@localhost/db_name
+LOCK_DSN=semaphore
+###< symfony/lock ###
+
 ###> APPLICATION CONFIG ###
 # EC-CUBE Configs. The default value is defined in app/config/packages/eccube.yaml.
 # Please remove commented out and enable it if you want to change.
@@ -56,9 +62,3 @@ MAILER_DSN=null://null
 #ECCUBE_RESTRICT_FILE_UPLOAD=0
 
 ###< APPLICATION CONFIG ###
-
-###> symfony/lock ###
-# Choose one of the stores below
-# postgresql+advisory://db_user:db_password@localhost/db_name
-LOCK_DSN=semaphore
-###< symfony/lock ###

From 087d284310ac99bec5e6b9fc89da0eaf9179847a Mon Sep 17 00:00:00 2001
From: Chihiro Adachi <8196725+chihiro-adachi@users.noreply.github.com>
Date: Mon, 1 Aug 2022 16:36:19 +0900
Subject: [PATCH 4/4] =?UTF-8?q?parameter=E3=81=A7=E5=AE=9A=E7=BE=A9?=
 =?UTF-8?q?=E3=81=99=E3=82=8B=E3=82=88=E3=81=86=E3=81=AB=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/config/eccube/packages/eccube.yaml   | 2 ++
 app/config/eccube/packages/security.yaml | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/config/eccube/packages/eccube.yaml b/app/config/eccube/packages/eccube.yaml
index b767acf138f..ecf2f758891 100644
--- a/app/config/eccube/packages/eccube.yaml
+++ b/app/config/eccube/packages/eccube.yaml
@@ -148,3 +148,5 @@ parameters:
       - admin_content_css
       - admin_content_js
       - admin_store_template_install
+    eccube_login_throttling_max_attempts: 5
+    eccube_login_throttling_interval: '30 minutes'
diff --git a/app/config/eccube/packages/security.yaml b/app/config/eccube/packages/security.yaml
index 3facaa912bb..963d632ba4c 100644
--- a/app/config/eccube/packages/security.yaml
+++ b/app/config/eccube/packages/security.yaml
@@ -35,8 +35,8 @@ security:
                 success_handler: eccube.security.success_handler
                 failure_handler: eccube.security.failure_handler
             login_throttling:
-                max_attempts: 5
-                interval: '30 minutes'
+                max_attempts: '%eccube_login_throttling_max_attempts%'
+                interval: '%eccube_login_throttling_interval%'
             logout:
                 path: admin_logout
                 success_handler: eccube.security.logout.success_handler
@@ -59,8 +59,8 @@ security:
                 success_handler: eccube.security.success_handler
                 failure_handler: eccube.security.failure_handler
             login_throttling:
-                max_attempts: 5
-                interval: '30 minutes'
+                max_attempts: '%eccube_login_throttling_max_attempts%'
+                interval: '%eccube_login_throttling_interval%'
             logout:
                 path: logout
                 target: homepage