SECURITY: rate-limit and prevent blocked users from changing email

This is to counter spam where people use Special:ChangeEmail to
spam people with the confirmation email and using the username
to promote their thing

Bug: T209794
Change-Id: I8b2bd0f60c66f44c91dc78e3512a73e4237df2f3

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index f08f5b7..ab1afe2 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5720,6 +5720,10 @@ $wgRateLimits = [
                'newbie' => [ 5, 86400 ],
                'user' => [ 20, 86400 ],
        ],
+       'changeemail' => [
+               'ip-all' => [ 10, 3600 ],
+               'user' => [ 4, 86400 ]
+       ],
        // Purging pages
        'purge' => [
                'ip' => [ 30, 60 ],

diff --git a/includes/specials/SpecialChangeEmail.php b/includes/specials/SpecialChangeEmail.php
index 9ce8760..956ff77 100644 (file)
--- a/includes/specials/SpecialChangeEmail.php
+++ b/includes/specials/SpecialChangeEmail.php
@@ -78,6 +78,10 @@ class SpecialChangeEmail extends FormSpecialPage {
                        throw new PermissionsError( 'viewmyprivateinfo' );
                }
 
+               if ( $user->isBlockedFromEmailuser() ) {
+                       throw new UserBlockedError( $user->getBlock() );
+               }
+
                parent::checkExecutePermissions( $user );
        }
 
@@ -162,6 +166,12 @@ class SpecialChangeEmail extends FormSpecialPage {
                        return Status::newFatal( 'changeemail-nochange' );
                }
 
+               // To prevent spam, rate limit adding a new address, but do
+               // not rate limit removing an address.
+               if ( $newaddr !== '' && $user->pingLimiter( 'changeemail' ) ) {
+                       return Status::newFatal( 'actionthrottledtext' );
+               }
+
                $oldaddr = $user->getEmail();
                $status = $user->setEmailWithConfirmation( $newaddr );
                if ( !$status->isGood() ) {