SECURITY: Throttle uploads

Add throttle check in ApiUpload and SpecialUpload.

Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 9eff602..c491b15 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5214,6 +5214,12 @@ $wgRateLimits = array(
                'ip' => null, // for each anon and recent account
                'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in IPv6
        ),
+       'upload' => array(
+               'user' => null,
+               'newbie' => null,
+               'ip' => null,
+               'subnet' => null,
+       ),
        'move' => array(
                'user' => null,
                'newbie' => null,

diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index b621cb0..83a604c 100644 (file)
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -139,6 +139,12 @@ class ApiUpload extends ApiBase {
                        return $this->getStashResult( $warnings );
                }
 
+               // Check throttle after we've handled warnings
+               if ( UploadBase::isThrottled( $this->getUser() )
+               ) {
+                       $this->dieUsageMsg( 'actionthrottledtext' );
+               }
+
                // This is the most common case -- a normal upload with no warnings
                // performUpload will return a formatted properly for the API with status
                return $this->performUpload( $warnings );

diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index 7b98a34..6692bb6 100644 (file)
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -475,6 +475,14 @@ class SpecialUpload extends SpecialPage {
                        }
                }
 
+               // This is as late as we can throttle, after expected issues have been handled
+               if ( UploadBase::isThrottled( $this->getUser() ) ) {
+                       $this->showRecoverableUploadError(
+                               $this->msg( 'actionthrottledtext' )->escaped()
+                       );
+                       return;
+               }
+
                // Get the page text if this is not a reupload
                if ( !$this->mForReUpload ) {
                        $pageText = self::getInitialPageText( $this->mComment, $this->mLicense,

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 5f4a16a..f600e32 100644 (file)
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -125,6 +125,16 @@ abstract class UploadBase {
                return true;
        }
 
+       /**
+        * Returns true if the user has surpassed the upload rate limit, false otherwise.
+        *
+        * @param User $user
+        * @return bool
+        */
+       public static function isThrottled( $user ) {
+               return $user->pingLimiter( 'upload' );
+       }
+
        // Upload handlers. Should probably just be a global.
        private static $uploadHandlers = array( 'Stash', 'File', 'Url' );