dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
SECURITY: rate-limit and prevent blocked users from changing email
[lhc/web/wiklou.git] / includes / specials / SpecialChangeEmail.php
diff --git a/includes/specials/SpecialChangeEmail.php b/includes/specials/SpecialChangeEmail.php
index 9ce8760..956ff77 100644 (file)
--- a/includes/specials/SpecialChangeEmail.php
+++ b/includes/specials/SpecialChangeEmail.php
@@ -78,6 +78,10 @@ class SpecialChangeEmail extends FormSpecialPage {
                        throw new PermissionsError( 'viewmyprivateinfo' );
                }
 
                        throw new PermissionsError( 'viewmyprivateinfo' );
                }
 
+               if ( $user->isBlockedFromEmailuser() ) {
+                       throw new UserBlockedError( $user->getBlock() );
+               }
+
                parent::checkExecutePermissions( $user );
        }
 
                parent::checkExecutePermissions( $user );
        }
 
@@ -162,6 +166,12 @@ class SpecialChangeEmail extends FormSpecialPage {
                        return Status::newFatal( 'changeemail-nochange' );
                }
 
                        return Status::newFatal( 'changeemail-nochange' );
                }
 
+               // To prevent spam, rate limit adding a new address, but do
+               // not rate limit removing an address.
+               if ( $newaddr !== '' && $user->pingLimiter( 'changeemail' ) ) {
+                       return Status::newFatal( 'actionthrottledtext' );
+               }
+
                $oldaddr = $user->getEmail();
                $status = $user->setEmailWithConfirmation( $newaddr );
                if ( !$status->isGood() ) {
                $oldaddr = $user->getEmail();
                $status = $user->setEmailWithConfirmation( $newaddr );
                if ( !$status->isGood() ) {
Wiklou, le Wiki du Wiklou