Chad has submitted this change and it was merged.
Change subject: SECURITY: Throttle uploads
......................................................................
SECURITY: Throttle uploads
Add throttle check in ApiUpload and SpecialUpload.
Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
---
M includes/DefaultSettings.php
M includes/api/ApiUpload.php
M includes/specials/SpecialUpload.php
M includes/upload/UploadBase.php
4 files changed, 30 insertions(+), 0 deletions(-)
Approvals:
Chad: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 91d33c1..5f2e3da 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4959,6 +4959,12 @@
'ip' => null, // for each anon and recent account
'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in
IPv6
),
+ 'upload' => array(
+ 'user' => null,
+ 'newbie' => null,
+ 'ip' => null,
+ 'subnet' => null,
+ ),
'move' => array(
'user' => null,
'newbie' => null,
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 657181b..ff93cfc 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -138,6 +138,12 @@
return $this->getStashResult( $warnings );
}
+ // Check throttle after we've handled warnings
+ if ( UploadBase::isThrottled( $this->getUser() )
+ ) {
+ $this->dieUsageMsg( 'actionthrottledtext' );
+ }
+
// This is the most common case -- a normal upload with no
warnings
// performUpload will return a formatted properly for the API
with status
return $this->performUpload( $warnings );
diff --git a/includes/specials/SpecialUpload.php
b/includes/specials/SpecialUpload.php
index 55d09dd..1c09ab0 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -451,6 +451,14 @@
}
}
+ // This is as late as we can throttle, after expected issues
have been handled
+ if ( UploadBase::isThrottled( $this->getUser() ) ) {
+ $this->showRecoverableUploadError(
+ $this->msg( 'actionthrottledtext' )->escaped()
+ );
+ return;
+ }
+
// Get the page text if this is not a reupload
if ( !$this->mForReUpload ) {
$pageText = self::getInitialPageText( $this->mComment,
$this->mLicense,
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 14959c2..781eada 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -130,6 +130,16 @@
return true;
}
+ /**
+ * Returns true if the user has surpassed the upload rate limit, false
otherwise.
+ *
+ * @param User $user
+ * @return bool
+ */
+ public static function isThrottled( $user ) {
+ return $user->pingLimiter( 'upload' );
+ }
+
// Upload handlers. Should probably just be a global.
private static $uploadHandlers = array( 'Stash', 'File', 'Url' );
--
To view, visit https://gerrit.wikimedia.org/r/246873
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_24
Gerrit-Owner: Chad <[email protected]>
Gerrit-Reviewer: Aaron Schulz <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Chad <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
