'newbie' => [ 5, 86400 ],
'user' => [ 20, 86400 ],
],
+ 'changeemail' => [
+ 'ip-all' => [ 10, 3600 ],
+ 'user' => [ 4, 86400 ]
+ ],
// Purging pages
'purge' => [
'ip' => [ 30, 60 ],
namespace MediaWiki;
+/**
+ * @since 1.29
+ */
class HeaderCallback {
private static $headersSentException;
private static $messageSent = false;
* Register a callback to be called when headers are sent. There can only
* be one of these handlers active, so all relevant actions have to be in
* here.
+ *
+ * @since 1.29
*/
public static function register() {
header_register_callback( [ __CLASS__, 'callback' ] );
/**
* The callback, which is called by the transport
+ *
+ * @since 1.29
*/
public static function callback() {
// Prevent caching of responses with cookies (T127993)
/**
* Log a warning message if headers have already been sent. This can be
* called before flushing the output.
+ *
+ * @since 1.29
*/
public static function warnIfHeadersSent() {
if ( headers_sent() && !self::$messageSent ) {
'NamespaceRestrictions' => $namespaceRestrictions,
];
+ $status = SpecialBlock::validateTarget( $params['user'], $user );
+ if ( !$status->isOK() ) {
+ $this->dieStatus( $status );
+ }
+
$retval = SpecialBlock::processForm( $data, $this->getContext() );
if ( $retval !== true ) {
$this->dieStatus( $this->errorArrayToStatus( $retval ) );
}
// Check permissions
- if ( isset( $show['patrolled'] )
- || isset( $show['!patrolled'] )
- || isset( $show['unpatrolled'] )
- || isset( $show['autopatrolled'] )
- || isset( $show['!autopatrolled'] )
- ) {
+ if ( $this->includesPatrollingFlags( $show ) ) {
if ( !$user->useRCPatrol() && !$user->useNPPatrol() ) {
$this->dieWithError( 'apierror-permissiondenied-patrolflag', 'permissiondenied' );
}
return $vals;
}
+ /**
+ * @param array $flagsArray flipped array (string flags are keys)
+ * @return bool
+ */
+ private function includesPatrollingFlags( array $flagsArray ) {
+ return isset( $flagsArray['patrolled'] ) ||
+ isset( $flagsArray['!patrolled'] ) ||
+ isset( $flagsArray['unpatrolled'] ) ||
+ isset( $flagsArray['autopatrolled'] ) ||
+ isset( $flagsArray['!autopatrolled'] );
+ }
+
public function getCacheMode( $params ) {
- if ( isset( $params['show'] ) ) {
- foreach ( $params['show'] as $show ) {
- if ( $show === 'patrolled' || $show === '!patrolled' ) {
- return 'private';
- }
- }
+ if ( isset( $params['show'] ) &&
+ $this->includesPatrollingFlags( array_flip( $params['show'] ) )
+ ) {
+ return 'private';
}
if ( isset( $params['token'] ) ) {
return 'private';
| image\s*\(
| image-set\s*\(
| attr\s*\([^)]+[\s,]+url
+ | var\s*\(
!ix', $value ) ) {
return '/* insecure input */';
}
* @param string $par
*/
function execute( $par ) {
- $this->checkLoginSecurityLevel();
-
$out = $this->getOutput();
$out->disallowUserJs();
parent::execute( $par );
}
+ protected function getLoginSecurityLevel() {
+ return $this->getName();
+ }
+
protected function checkExecutePermissions( User $user ) {
if ( !AuthManager::singleton()->allowsPropertyChange( 'emailaddress' ) ) {
throw new ErrorPageError( 'changeemail', 'cannotchangeemail' );
throw new PermissionsError( 'viewmyprivateinfo' );
}
+ if ( $user->isBlockedFromEmailuser() ) {
+ throw new UserBlockedError( $user->getBlock() );
+ }
+
parent::checkExecutePermissions( $user );
}
return Status::newFatal( 'changeemail-nochange' );
}
+ // To prevent spam, rate limit adding a new address, but do
+ // not rate limit removing an address.
+ if ( $newaddr !== '' && $user->pingLimiter( 'changeemail' ) ) {
+ return Status::newFatal( 'actionthrottledtext' );
+ }
+
$oldaddr = $user->getEmail();
$status = $user->setEmailWithConfirmation( $newaddr );
if ( !$status->isGood() ) {
);
$this->mUser = $this->getMutableTestUser()->getUser();
+ $this->setMwGlobals( 'wgBlockCIDRLimit', [
+ 'IPv4' => 16,
+ 'IPv6' => 19,
+ ] );
}
protected function getTokens() {
$tokens = $this->getTokens();
$this->assertNotNull( $this->mUser, 'Sanity check' );
- $this->assertNotSame( 0, $this->mUser->getId(), 'Sanity check' );
$this->assertArrayHasKey( 'blocktoken', $tokens, 'Sanity check' );
self::$users['sysop']->getUser()
);
}
+
+ public function testRangeBlock() {
+ $this->mUser = User::newFromName( '128.0.0.0/16', false );
+ $this->doBlock();
+ }
+
+ /**
+ * @expectedException ApiUsageException
+ * @expectedExceptionMessage Range blocks larger than /16 are not allowed.
+ */
+ public function testVeryLargeRangeBlock() {
+ $this->mUser = User::newFromName( '128.0.0.0/1', false );
+ $this->doBlock();
+ }
}
],
[ '/* insecure input */', 'foo: attr( title, url );' ],
[ '/* insecure input */', 'foo: attr( title url );' ],
+ [ '/* insecure input */', 'foo: var(--evil-attribute)' ],
];
}