getCurrentBans: ignore tickets with the ban-time changed after correction (if other max ban-time of jail as in the database)

6 years ago · 7c0ac467bb
parent 76cb1c64ce
commit 7c0ac467bb
2 changed files with 13 additions and 6 deletions
--- a/fail2ban/server/database.py
+++ b/fail2ban/server/database.py
@ -764,8 +764,6 @@ class Fail2BanDb(object):
 		return cur.execute(query, queryArgs)

 	def _getCurrentBans(self, cur, jail = None, ip = None, forbantime=None, fromtime=None):
-		if fromtime is None:
-			fromtime = MyTime.time()
 		queryArgs = []
 		if jail is not None:
 			query = "SELECT ip, timeofban, bantime, bancount, data FROM bips WHERE jail=?"
@ -798,6 +796,8 @@ class Fail2BanDb(object):
 		(and therefore endOfBan) of the ticket (normally it is ban-time of jail as maximum)
 		for all tickets with ban-time greater (or persistent).
 		"""
+		if fromtime is None:
+			fromtime = MyTime.time()
 		tickets = []
 		ticket = None
 		if correctBanTime is True:
@ -822,6 +822,12 @@ class Fail2BanDb(object):
 					# if persistent ban (or greater as max), use current max-bantime of the jail:
 					if bantime == -1 or bantime > correctBanTime:
 						bantime = correctBanTime
+				# after correction check the end of ban again:
+				if bantime != -1 and timeofban + bantime <= fromtime:
+					# not persistent and too old - ignore it:
+					logSys.debug("ignore ticket (with new max ban-time %r): too old %r <= %r, ticket: %r",
+						bantime, timeofban + bantime, fromtime, ticket)
+					continue
 			except ValueError as e: # pragma: no cover
 				logSys.debug("get current bans: ignore row %r - %s", ticket, e)
 				continue
--- a/fail2ban/tests/databasetestcase.py
+++ b/fail2ban/tests/databasetestcase.py
@ -494,12 +494,13 @@ class DatabaseTest(LogCaptureTestCase):
 		# add persistent one:
 		ticket.setBanTime(-1)
 		self.db.addBan(self.jail, ticket)
-		# persistent bantime (-1), so never expired (1 persistent ticket):
+		# persistent bantime (-1), so never expired (but jail has other max bantime now):
 		tickets = self.db.getCurrentBans(jail=self.jail, forbantime=-1,
 			fromtime=MyTime.time() + MyTime.str2seconds("1year"))
-		self.assertEqual(len(tickets), 1)
-		self.assertEqual(tickets[0].getBanTime(), 600); # current jail ban time.
-		# change jail to persistent ban and try again:
+		# no tickets should be found (max ban time = 600):
+		self.assertEqual(len(tickets), 0)
+		self.assertLogged("ignore ticket (with new max ban-time %r)" % self.jail.getMaxBanTime())
+		# change jail to persistent ban and try again (1 persistent ticket):
 		self.jail.actions.setBanTime(-1)
 		tickets = self.db.getCurrentBans(jail=self.jail, forbantime=-1,
 			fromtime=MyTime.time() + MyTime.str2seconds("1year"))