jenkins-bot has submitted this change and it was merged.
Change subject: SECURITY: Throttle uploads
......................................................................
SECURITY: Throttle uploads
Add throttle check in ApiUpload and SpecialUpload.
Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
---
M includes/DefaultSettings.php
M includes/api/ApiUpload.php
M includes/specials/SpecialUpload.php
M includes/upload/UploadBase.php
4 files changed, 30 insertions(+), 0 deletions(-)
Approvals:
Chad: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index fd67b6d..47f1434 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5174,6 +5174,12 @@
'ip' => null, // for each anon and recent account
'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in
IPv6
),
+ 'upload' => array(
+ 'user' => null,
+ 'newbie' => null,
+ 'ip' => null,
+ 'subnet' => null,
+ ),
'move' => array(
'user' => null,
'newbie' => null,
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 398337b..16ce301 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -138,6 +138,12 @@
return $this->getStashResult( $warnings );
}
+ // Check throttle after we've handled warnings
+ if ( UploadBase::isThrottled( $this->getUser() )
+ ) {
+ $this->dieUsageMsg( 'actionthrottledtext' );
+ }
+
// This is the most common case -- a normal upload with no
warnings
// performUpload will return a formatted properly for the API
with status
return $this->performUpload( $warnings );
diff --git a/includes/specials/SpecialUpload.php
b/includes/specials/SpecialUpload.php
index 10d55b2..16f4d16 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -462,6 +462,14 @@
}
}
+ // This is as late as we can throttle, after expected issues
have been handled
+ if ( UploadBase::isThrottled( $this->getUser() ) ) {
+ $this->showRecoverableUploadError(
+ $this->msg( 'actionthrottledtext' )->escaped()
+ );
+ return;
+ }
+
// Get the page text if this is not a reupload
if ( !$this->mForReUpload ) {
$pageText = self::getInitialPageText( $this->mComment,
$this->mLicense,
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 30a85ae..e9e1f65 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -128,6 +128,16 @@
return true;
}
+ /**
+ * Returns true if the user has surpassed the upload rate limit, false
otherwise.
+ *
+ * @param User $user
+ * @return bool
+ */
+ public static function isThrottled( $user ) {
+ return $user->pingLimiter( 'upload' );
+ }
+
// Upload handlers. Should probably just be a global.
private static $uploadHandlers = array( 'Stash', 'File', 'Url' );
--
To view, visit https://gerrit.wikimedia.org/r/246973
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_26
Gerrit-Owner: Chad <[email protected]>
Gerrit-Reviewer: Aaron Schulz <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Chad <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
