General hardening measure for Special:ConfirmEmail, similar to what's
already in place for Special:ChangeEmail.
Bug: T226733
Change-Id: I465e4748840e214531e930608386455084563bc6
* editmyuserjsredirect user right – users without this right now cannot edit JS
redirects in their userspace unless the target of the redirect is also in
their userspace. By default, this right is given to everyone.
+* (T226733) Add rate limiter to Special:ConfirmEmail.
==== Changed configuration ====
* $wgUseCdn, $wgCdnServers, $wgCdnServersNoPurge, and $wgCdnMaxAge – These four
'ip-all' => [ 10, 3600 ],
'user' => [ 4, 86400 ]
],
+ // since 1.33 - rate limit email confirmations
+ 'confirmemail' => [
+ 'ip-all' => [ 10, 3600 ],
+ 'user' => [ 4, 86400 ]
+ ],
// Purging pages
'purge' => [
'ip' => [ 30, 60 ],
return;
}
+ // rate limit email confirmations
+ if ( $user->pingLimiter( 'confirmemail' ) ) {
+ $this->getOutput()->addWikiMsg( 'actionthrottledtext' );
+
+ return;
+ }
+
$user->confirmEmail();
$user->saveSettings();
$message = $this->getUser()->isLoggedIn() ? 'confirmemail_loggedin' : 'confirmemail_success';