From 20887d84eac33aea5f6b9d7f7faa1913bc79642f Mon Sep 17 00:00:00 2001 From: Andrew Garrett Date: Fri, 8 Aug 2008 11:49:39 +0000 Subject: [PATCH] * (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5 minutes. --- RELEASE-NOTES | 1 + includes/DefaultSettings.php | 6 ++++++ includes/specials/SpecialUserlogin.php | 21 +++++++++++++++++++++ languages/messages/MessagesEn.php | 1 + 4 files changed, 29 insertions(+) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 96650b7bba..67a3c151c1 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -79,6 +79,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * (bug 15055) Talk page notifications no longer attempt to send mail when user's e-mail address is invalid or unconfirmed * (bug 2443) Add image name as alt-text when no caption is provided. +* (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5 minutes. === API changes in 1.14 === diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index a47911fa1c..2feb33c0fa 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3357,3 +3357,9 @@ $wgSitemapNamespaces = false; * ting this variable false. */ $wgUseAutomaticEditSummaries = true; + +/** + * Limit password attempts to X attempts per Y seconds per IP per account. + * Requires memcached. + */ +$wgPasswordAttemptThrottle = array( 5, 300 ); \ No newline at end of file diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 20bd853d34..f597d62b16 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -33,6 +33,7 @@ class LoginForm { const RESET_PASS = 7; const ABORTED = 8; const CREATE_BLOCKED = 9; + const THROTTLED = 10; var $mName, $mPassword, $mRetype, $mReturnTo, $mCookieCheck, $mPosted; var $mAction, $mCreateaccount, $mCreateaccountMail, $mMailmypassword; @@ -372,6 +373,23 @@ class LoginForm { if ( '' == $this->mName ) { return self::NO_NAME; } + + global $wgPasswordAttemptThrottle; + if (is_array($wgPasswordAttemptThrottle) && count($wgPasswordAttemptThrottle) >=2) { + list($count,$period) = $wgPasswordAttemptThrottle; + $key = wfMemcKey( 'password-throttle', wfGetIP(), $this->mName ); + + global $wgMemc; + $cur = $wgMemc->get($key); + if ($cur>0 && $cur<$count) { + $wgMemc->incr($key); + // Okay + } elseif ($cur>0) { + return self::THROTTLED; + } elseif (!$cur) { + $wgMemc->add( $key, 1, $period ); + } + } // Load $wgUser now, and check to see if we're logging in as the same name. // This is necessary because loading $wgUser (say by calling getName()) calls @@ -541,6 +559,9 @@ class LoginForm { case self::CREATE_BLOCKED: $this->userBlockedMessage(); break; + case self::THROTTLED: + $this->mainLoginForm( wfMsg( 'login-throttled' ) ); + break; default: throw new MWException( "Unhandled case value" ); } diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 18d5b65562..4bdb967bae 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -971,6 +971,7 @@ Please enter a well-formatted address or empty that field.', You should log in and change your password now. You may ignore this message, if this account was created in error.', +'login-throttled' => "You have made too many recent attempts on this account's password. Please wait before trying again.", 'loginlanguagelabel' => 'Language: $1', 'loginlanguagelinks' => '* Deutsch|de * English|en -- 2.20.1