From: csteipp Date: Thu, 12 Mar 2015 01:44:44 +0000 (-0700) Subject: SECURITY: Throttle uploads X-Git-Tag: 1.31.0-rc.0~9369^2 X-Git-Url: http://git.cyclocoop.org/clavettes/images/siteon3.jpg?a=commitdiff_plain;h=c8043915727cad35034a5c3fd4acb3afadc0e7b8;p=lhc%2Fweb%2Fwiklou.git SECURITY: Throttle uploads Add throttle check in ApiUpload and SpecialUpload. Bug: T91850 Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70 --- diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 9eff602bf4..c491b156b3 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -5214,6 +5214,12 @@ $wgRateLimits = array( 'ip' => null, // for each anon and recent account 'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in IPv6 ), + 'upload' => array( + 'user' => null, + 'newbie' => null, + 'ip' => null, + 'subnet' => null, + ), 'move' => array( 'user' => null, 'newbie' => null, diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php index b621cb0dde..83a604c61f 100644 --- a/includes/api/ApiUpload.php +++ b/includes/api/ApiUpload.php @@ -139,6 +139,12 @@ class ApiUpload extends ApiBase { return $this->getStashResult( $warnings ); } + // Check throttle after we've handled warnings + if ( UploadBase::isThrottled( $this->getUser() ) + ) { + $this->dieUsageMsg( 'actionthrottledtext' ); + } + // This is the most common case -- a normal upload with no warnings // performUpload will return a formatted properly for the API with status return $this->performUpload( $warnings ); diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php index 7b98a34815..6692bb6029 100644 --- a/includes/specials/SpecialUpload.php +++ b/includes/specials/SpecialUpload.php @@ -475,6 +475,14 @@ class SpecialUpload extends SpecialPage { } } + // This is as late as we can throttle, after expected issues have been handled + if ( UploadBase::isThrottled( $this->getUser() ) ) { + $this->showRecoverableUploadError( + $this->msg( 'actionthrottledtext' )->escaped() + ); + return; + } + // Get the page text if this is not a reupload if ( !$this->mForReUpload ) { $pageText = self::getInitialPageText( $this->mComment, $this->mLicense, diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index 5f4a16aa44..f600e32135 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -125,6 +125,16 @@ abstract class UploadBase { return true; } + /** + * Returns true if the user has surpassed the upload rate limit, false otherwise. + * + * @param User $user + * @return bool + */ + public static function isThrottled( $user ) { + return $user->pingLimiter( 'upload' ); + } + // Upload handlers. Should probably just be a global. private static $uploadHandlers = array( 'Stash', 'File', 'Url' );