* (bug 15055) Talk page notifications no longer attempt to send mail when
user's e-mail address is invalid or unconfirmed
* (bug 2443) Add image name as alt-text when no caption is provided.
+* (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5 minutes.
=== API changes in 1.14 ===
* ting this variable false.
*/
$wgUseAutomaticEditSummaries = true;
+
+/**
+ * Limit password attempts to X attempts per Y seconds per IP per account.
+ * Requires memcached.
+ */
+$wgPasswordAttemptThrottle = array( 5, 300 );
\ No newline at end of file
const RESET_PASS = 7;
const ABORTED = 8;
const CREATE_BLOCKED = 9;
+ const THROTTLED = 10;
var $mName, $mPassword, $mRetype, $mReturnTo, $mCookieCheck, $mPosted;
var $mAction, $mCreateaccount, $mCreateaccountMail, $mMailmypassword;
if ( '' == $this->mName ) {
return self::NO_NAME;
}
+
+ global $wgPasswordAttemptThrottle;
+ if (is_array($wgPasswordAttemptThrottle) && count($wgPasswordAttemptThrottle) >=2) {
+ list($count,$period) = $wgPasswordAttemptThrottle;
+ $key = wfMemcKey( 'password-throttle', wfGetIP(), $this->mName );
+
+ global $wgMemc;
+ $cur = $wgMemc->get($key);
+ if ($cur>0 && $cur<$count) {
+ $wgMemc->incr($key);
+ // Okay
+ } elseif ($cur>0) {
+ return self::THROTTLED;
+ } elseif (!$cur) {
+ $wgMemc->add( $key, 1, $period );
+ }
+ }
// Load $wgUser now, and check to see if we're logging in as the same name.
// This is necessary because loading $wgUser (say by calling getName()) calls
case self::CREATE_BLOCKED:
$this->userBlockedMessage();
break;
+ case self::THROTTLED:
+ $this->mainLoginForm( wfMsg( 'login-throttled' ) );
+ break;
default:
throw new MWException( "Unhandled case value" );
}
You should log in and change your password now.
You may ignore this message, if this account was created in error.',
+'login-throttled' => "You have made too many recent attempts on this account's password. Please wait before trying again.",
'loginlanguagelabel' => 'Language: $1',
'loginlanguagelinks' => '* Deutsch|de
* English|en