From: Brian Wolff Date: Wed, 21 Nov 2018 16:15:28 +0000 (+0000) Subject: SECURITY: rate-limit and prevent blocked users from changing email X-Git-Tag: 1.34.0-rc.0~1502^2~3 X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=616525021b3691e30a980a42b837b7ad44ecfd09;hp=214b37ff07f3fde89430297b2a857750a56ae205;ds=sidebyside SECURITY: rate-limit and prevent blocked users from changing email This is to counter spam where people use Special:ChangeEmail to spam people with the confirmation email and using the username to promote their thing Bug: T209794 Change-Id: I8b2bd0f60c66f44c91dc78e3512a73e4237df2f3 --- diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index f08f5b7859..ab1afe2109 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -5720,6 +5720,10 @@ $wgRateLimits = [ 'newbie' => [ 5, 86400 ], 'user' => [ 20, 86400 ], ], + 'changeemail' => [ + 'ip-all' => [ 10, 3600 ], + 'user' => [ 4, 86400 ] + ], // Purging pages 'purge' => [ 'ip' => [ 30, 60 ], diff --git a/includes/specials/SpecialChangeEmail.php b/includes/specials/SpecialChangeEmail.php index 9ce87605fa..956ff77e8c 100644 --- a/includes/specials/SpecialChangeEmail.php +++ b/includes/specials/SpecialChangeEmail.php @@ -78,6 +78,10 @@ class SpecialChangeEmail extends FormSpecialPage { throw new PermissionsError( 'viewmyprivateinfo' ); } + if ( $user->isBlockedFromEmailuser() ) { + throw new UserBlockedError( $user->getBlock() ); + } + parent::checkExecutePermissions( $user ); } @@ -162,6 +166,12 @@ class SpecialChangeEmail extends FormSpecialPage { return Status::newFatal( 'changeemail-nochange' ); } + // To prevent spam, rate limit adding a new address, but do + // not rate limit removing an address. + if ( $newaddr !== '' && $user->pingLimiter( 'changeemail' ) ) { + return Status::newFatal( 'actionthrottledtext' ); + } + $oldaddr = $user->getEmail(); $status = $user->setEmailWithConfirmation( $newaddr ); if ( !$status->isGood() ) {