Cleanup for r38886 "(bug 12370) Add throttle on password attempts. Defaults to max...

Generated memcache key used the user name, which could contain spaces or be overlong, leading to failure to enforce the check.
Switched to making the key using md5 of the username instead of the raw name, so "I Am Rocking" will get throttled as well as "WikiSysop".

Note that it still will have no effect on a default install (with no general cache engine); for this sort of security-friendly thing it might be wise to use the DB-based cache to ensure it's functional.

diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 4719a71..99ba68e 100644 (file)
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -376,7 +376,7 @@ class LoginForm {
                
                global $wgPasswordAttemptThrottle;
                if ( is_array($wgPasswordAttemptThrottle) ) {
-                       $key = wfMemcKey( 'password-throttle', wfGetIP(), $this->mName );
+                       $key = wfMemcKey( 'password-throttle', wfGetIP(), md5( $this->mName ) );
                        $count = $wgPasswordAttemptThrottle['count'];
                        $period = $wgPasswordAttemptThrottle['seconds'];