From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 21 Nov 2018 16:15:28 +0000 (+0000)
Subject: SECURITY: rate-limit and prevent blocked users from changing email
X-Git-Tag: 1.31.2~7
X-Git-Url: http://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=a3a9b8d440c10e0f1937b20d36cd9e1004843197

SECURITY: rate-limit and prevent blocked users from changing email

This is to counter spam where people use Special:ChangeEmail to
spam people with the confirmation email and using the username
to promote their thing

Bug: T209794
Change-Id: I8b2bd0f60c66f44c91dc78e3512a73e4237df2f3
---

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 89b77d28b3..43b30b05c7 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5681,6 +5681,10 @@ $wgRateLimits = [
 		'newbie' => [ 5, 86400 ],
 		'user' => [ 20, 86400 ],
 	],
+	'changeemail' => [
+		'ip-all' => [ 10, 3600 ],
+		'user' => [ 4, 86400 ]
+	],
 	// Purging pages
 	'purge' => [
 		'ip' => [ 30, 60 ],
diff --git a/includes/specials/SpecialChangeEmail.php b/includes/specials/SpecialChangeEmail.php
index 1bd42ac0c8..05f8022f51 100644
--- a/includes/specials/SpecialChangeEmail.php
+++ b/includes/specials/SpecialChangeEmail.php
@@ -78,6 +78,10 @@ class SpecialChangeEmail extends FormSpecialPage {
 			throw new PermissionsError( 'viewmyprivateinfo' );
 		}
 
+		if ( $user->isBlockedFromEmailuser() ) {
+			throw new UserBlockedError( $user->getBlock() );
+		}
+
 		parent::checkExecutePermissions( $user );
 	}
 
@@ -164,6 +168,12 @@ class SpecialChangeEmail extends FormSpecialPage {
 			return Status::newFatal( 'changeemail-nochange' );
 		}
 
+		// To prevent spam, rate limit adding a new address, but do
+		// not rate limit removing an address.
+		if ( $newaddr !== '' && $user->pingLimiter( 'changeemail' ) ) {
+			return Status::newFatal( 'actionthrottledtext' );
+		}
+
 		$oldaddr = $user->getEmail();
 		$status = $user->setEmailWithConfirmation( $newaddr );
 		if ( !$status->isGood() ) {