From: Brian Wolff Date: Wed, 21 Nov 2018 16:15:28 +0000 (+0000) Subject: SECURITY: rate-limit and prevent blocked users from changing email X-Git-Tag: 1.31.2~7 X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/%22%24lasturl/%7B%24admin_url%7Dmembres/cotisations/gestion/%40%20%27info_date_publication_anterieure%27%20=%3E%20%27Previously%20published%20on:%27%2C%20%27info_date_referencement%27%20=%3E%20%27THIS%20SITE%20REFERENCED%20ON:%27%2C%20%27info_derniere_etape%27%20=%3E%20%27Done%21%27%2C-%27info_derniers_articles_publies%27%20=%3E%20%27Your%20most%20recently%20published%20articles%27%2C-%27info_desactiver_messagerie_personnelle%27%20=%3E%20%27You%20can%20enable%20or%20disable%20your%20personal%20messaging%20on%20this%20site.%27%2C%20%27info_descriptif%27%20=%3E%20%27Description:%27%2C%20%27info_desinstaller_plugin%27%20=%3E%20%27%20deactivates%20the%20plugin%20and%20deletes%20the%20data%27%2C%20%27info_discussion_cours%27%20=%3E%20%27Current%20discussions%27%2C%40%40%20-332%2C7%20%20284%2C6%20%40%40%20Do%20not%20submit%20this%20import%20request.%3Cp%3EFor%20more%20information%2C%20please%20see%20%3Ca%20href=?a=commitdiff_plain;h=a3a9b8d440c10e0f1937b20d36cd9e1004843197;p=lhc%2Fweb%2Fwiklou.git SECURITY: rate-limit and prevent blocked users from changing email This is to counter spam where people use Special:ChangeEmail to spam people with the confirmation email and using the username to promote their thing Bug: T209794 Change-Id: I8b2bd0f60c66f44c91dc78e3512a73e4237df2f3 --- diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 89b77d28b3..43b30b05c7 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -5681,6 +5681,10 @@ $wgRateLimits = [ 'newbie' => [ 5, 86400 ], 'user' => [ 20, 86400 ], ], + 'changeemail' => [ + 'ip-all' => [ 10, 3600 ], + 'user' => [ 4, 86400 ] + ], // Purging pages 'purge' => [ 'ip' => [ 30, 60 ], diff --git a/includes/specials/SpecialChangeEmail.php b/includes/specials/SpecialChangeEmail.php index 1bd42ac0c8..05f8022f51 100644 --- a/includes/specials/SpecialChangeEmail.php +++ b/includes/specials/SpecialChangeEmail.php @@ -78,6 +78,10 @@ class SpecialChangeEmail extends FormSpecialPage { throw new PermissionsError( 'viewmyprivateinfo' ); } + if ( $user->isBlockedFromEmailuser() ) { + throw new UserBlockedError( $user->getBlock() ); + } + parent::checkExecutePermissions( $user ); } @@ -164,6 +168,12 @@ class SpecialChangeEmail extends FormSpecialPage { return Status::newFatal( 'changeemail-nochange' ); } + // To prevent spam, rate limit adding a new address, but do + // not rate limit removing an address. + if ( $newaddr !== '' && $user->pingLimiter( 'changeemail' ) ) { + return Status::newFatal( 'actionthrottledtext' ); + } + $oldaddr = $user->getEmail(); $status = $user->setEmailWithConfirmation( $newaddr ); if ( !$status->isGood() ) {