* (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5...

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 96650b7..67a3c15 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -79,6 +79,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * (bug 15055) Talk page notifications no longer attempt to send mail when
   user's e-mail address is invalid or unconfirmed
 * (bug 2443) Add image name as alt-text when no caption is provided.
+* (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5 minutes.
 
 === API changes in 1.14 ===
 

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index a47911f..2feb33c 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -3357,3 +3357,9 @@ $wgSitemapNamespaces = false;
  * ting this variable false.
  */
 $wgUseAutomaticEditSummaries = true;
+
+/**
+ * Limit password attempts to X attempts per Y seconds per IP per account.
+ * Requires memcached.
+ */
+$wgPasswordAttemptThrottle = array( 5, 300 );
\ No newline at end of file

diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 20bd853..f597d62 100644 (file)
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -33,6 +33,7 @@ class LoginForm {
        const RESET_PASS = 7;
        const ABORTED = 8;
        const CREATE_BLOCKED = 9;
+       const THROTTLED = 10;
 
        var $mName, $mPassword, $mRetype, $mReturnTo, $mCookieCheck, $mPosted;
        var $mAction, $mCreateaccount, $mCreateaccountMail, $mMailmypassword;
@@ -372,6 +373,23 @@ class LoginForm {
                if ( '' == $this->mName ) {
                        return self::NO_NAME;
                }
+               
+               global $wgPasswordAttemptThrottle;
+               if (is_array($wgPasswordAttemptThrottle) && count($wgPasswordAttemptThrottle) >=2) {
+                       list($count,$period) = $wgPasswordAttemptThrottle;
+                       $key = wfMemcKey( 'password-throttle', wfGetIP(), $this->mName );
+                       
+                       global $wgMemc;
+                       $cur = $wgMemc->get($key);
+                       if ($cur>0 && $cur<$count) {
+                               $wgMemc->incr($key);
+                               // Okay
+                       } elseif ($cur>0) {
+                               return self::THROTTLED;
+                       } elseif (!$cur) {
+                               $wgMemc->add( $key, 1, $period );
+                       }
+               }
 
                // Load $wgUser now, and check to see if we're logging in as the same name. 
                // This is necessary because loading $wgUser (say by calling getName()) calls
@@ -541,6 +559,9 @@ class LoginForm {
                        case self::CREATE_BLOCKED:
                                $this->userBlockedMessage();
                                break;
+                       case self::THROTTLED:
+                               $this->mainLoginForm( wfMsg( 'login-throttled' ) );
+                               break;
                        default:
                                throw new MWException( "Unhandled case value" );
                }

diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 18d5b65..4bdb967 100644 (file)
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -971,6 +971,7 @@ Please enter a well-formatted address or empty that field.',
 You should log in and change your password now.
 
 You may ignore this message, if this account was created in error.',
+'login-throttled'           => "You have made too many recent attempts on this account's password. Please wait before trying again.",
 'loginlanguagelabel'         => 'Language: $1',
 'loginlanguagelinks'         => '* Deutsch|de
 * English|en