From b2d8b03a453b9a05ab102546cd7c8452b5221b78 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Fri, 8 Aug 2008 22:15:50 +0000
Subject: [PATCH] Cleanup for r38886 "(bug 12370) Add throttle on password
 attempts. Defaults to max 5 attempts in 5 minutes."

Generated memcache key used the user name, which could contain spaces or be overlong, leading to failure to enforce the check.
Switched to making the key using md5 of the username instead of the raw name, so "I Am Rocking" will get throttled as well as "WikiSysop".

Note that it still will have no effect on a default install (with no general cache engine); for this sort of security-friendly thing it might be wise to use the DB-based cache to ensure it's functional.
---
 includes/specials/SpecialUserlogin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 4719a71b91..99ba68e027 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -376,7 +376,7 @@ class LoginForm {
 		
 		global $wgPasswordAttemptThrottle;
 		if ( is_array($wgPasswordAttemptThrottle) ) {
-			$key = wfMemcKey( 'password-throttle', wfGetIP(), $this->mName );
+			$key = wfMemcKey( 'password-throttle', wfGetIP(), md5( $this->mName ) );
 			$count = $wgPasswordAttemptThrottle['count'];
 			$period = $wgPasswordAttemptThrottle['seconds'];
 			
-- 
2.20.1