From 1dd54d80af8403c0f36746f482a46ffb41fb28ed Mon Sep 17 00:00:00 2001 From: sbassett Date: Thu, 27 Jun 2019 15:18:54 -0500 Subject: [PATCH] Add rate limiter to Special:ConfirmEmail General hardening measure for Special:ConfirmEmail, similar to what's already in place for Special:ChangeEmail. Bug: T226733 Change-Id: I465e4748840e214531e930608386455084563bc6 --- RELEASE-NOTES-1.34 | 1 + includes/DefaultSettings.php | 5 +++++ includes/specials/SpecialConfirmemail.php | 7 +++++++ 3 files changed, 13 insertions(+) diff --git a/RELEASE-NOTES-1.34 b/RELEASE-NOTES-1.34 index 9660e9ec6c..e98c943cd8 100644 --- a/RELEASE-NOTES-1.34 +++ b/RELEASE-NOTES-1.34 @@ -39,6 +39,7 @@ For notes on 1.33.x and older releases, see HISTORY. * editmyuserjsredirect user right – users without this right now cannot edit JS redirects in their userspace unless the target of the redirect is also in their userspace. By default, this right is given to everyone. +* (T226733) Add rate limiter to Special:ConfirmEmail. ==== Changed configuration ==== * $wgUseCdn, $wgCdnServers, $wgCdnServersNoPurge, and $wgCdnMaxAge – These four diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index fea5ff9ea7..208cfe6ea0 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -5711,6 +5711,11 @@ $wgRateLimits = [ 'ip-all' => [ 10, 3600 ], 'user' => [ 4, 86400 ] ], + // since 1.33 - rate limit email confirmations + 'confirmemail' => [ + 'ip-all' => [ 10, 3600 ], + 'user' => [ 4, 86400 ] + ], // Purging pages 'purge' => [ 'ip' => [ 30, 60 ], diff --git a/includes/specials/SpecialConfirmemail.php b/includes/specials/SpecialConfirmemail.php index 99e6dde7f0..7f327194c5 100644 --- a/includes/specials/SpecialConfirmemail.php +++ b/includes/specials/SpecialConfirmemail.php @@ -155,6 +155,13 @@ class EmailConfirmation extends UnlistedSpecialPage { return; } + // rate limit email confirmations + if ( $user->pingLimiter( 'confirmemail' ) ) { + $this->getOutput()->addWikiMsg( 'actionthrottledtext' ); + + return; + } + $user->confirmEmail(); $user->saveSettings(); $message = $this->getUser()->isLoggedIn() ? 'confirmemail_loggedin' : 'confirmemail_success'; -- 2.20.1