summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
b757658)
General hardening measure for Special:ConfirmEmail, similar to what's
already in place for Special:ChangeEmail.
Bug: T226733
Change-Id: I465e4748840e214531e930608386455084563bc6
* editmyuserjsredirect user right – users without this right now cannot edit JS
redirects in their userspace unless the target of the redirect is also in
their userspace. By default, this right is given to everyone.
* editmyuserjsredirect user right – users without this right now cannot edit JS
redirects in their userspace unless the target of the redirect is also in
their userspace. By default, this right is given to everyone.
+* (T226733) Add rate limiter to Special:ConfirmEmail.
==== Changed configuration ====
* $wgUseCdn, $wgCdnServers, $wgCdnServersNoPurge, and $wgCdnMaxAge – These four
==== Changed configuration ====
* $wgUseCdn, $wgCdnServers, $wgCdnServersNoPurge, and $wgCdnMaxAge – These four
'ip-all' => [ 10, 3600 ],
'user' => [ 4, 86400 ]
],
'ip-all' => [ 10, 3600 ],
'user' => [ 4, 86400 ]
],
+ // since 1.33 - rate limit email confirmations
+ 'confirmemail' => [
+ 'ip-all' => [ 10, 3600 ],
+ 'user' => [ 4, 86400 ]
+ ],
// Purging pages
'purge' => [
'ip' => [ 30, 60 ],
// Purging pages
'purge' => [
'ip' => [ 30, 60 ],
+ // rate limit email confirmations
+ if ( $user->pingLimiter( 'confirmemail' ) ) {
+ $this->getOutput()->addWikiMsg( 'actionthrottledtext' );
+
+ return;
+ }
+
$user->confirmEmail();
$user->saveSettings();
$message = $this->getUser()->isLoggedIn() ? 'confirmemail_loggedin' : 'confirmemail_success';
$user->confirmEmail();
$user->saveSettings();
$message = $this->getUser()->isLoggedIn() ? 'confirmemail_loggedin' : 'confirmemail_success';