Page MenuHomePhabricator
Create Task
Maniphest T126685

Globally throttle password attempts
Closed, ResolvedPublic
Actions

Description

The 5 guesses / 5 minutes throttle is set per wiki,

$throttleKey = wfMemcKey( 'password-throttle', $wgRequest->getIP(), md5( $username ) );

so does ConfirmEdit,

wfMemcKey( 'captcha', 'badlogin', 'ip', $ip );

CentralAuth doesn't do throttling.

I think we should either have a globalthrottle extension, or just make these use a global cache key.

Details

SubjectRepoBranchLines +/-
Use global cache keys login/create account rate limittingmediawiki/coremaster+4 -4
Use global cache keys bad login rate limitting captcha triggermediawiki/extensions/ConfirmEditmaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Feb 11 2016, 10:28 PM
csteipp assigned this task to Bawolff.
csteipp raised the priority of this task from to Medium.
csteipp updated the task description. (Show Details)
csteipp added projects: acl*security, Security-Team.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: Bawolff, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 11 2016, 10:28 PM
Bawolff added a comment.Feb 11 2016, 10:31 PM

Can this go in normal gerrit patches, or should it be secret patches on bug?

Legoktm subscribed.Feb 11 2016, 11:04 PM

Since we're already using the username, lets just use a global cache key... so s/wfMemcKey/wfGlobalCacheKey/ in those two places?

Bawolff added a comment.Feb 12 2016, 2:27 PM

Yes, i agree, global cache key sounds good.

Bawolff added a project: Patch-For-Review.Feb 15 2016, 2:28 AM

https://gerrit.wikimedia.org/r/270662 and https://gerrit.wikimedia.org/r/270663

Legoktm added a comment.Feb 15 2016, 9:18 AM

+2'd both.

Bawolff closed this task as Resolved.Feb 16 2016, 10:02 PM

Patches are merged, so I'm going to mark this as resolved, but make it block T124940 as a reminder the patch should maybe be backported for the various branches next release.

Bawolff added a parent task: T124940: MediaWiki 1.26.3 security release.Feb 16 2016, 10:02 PM
demon mentioned this in T124940: MediaWiki 1.26.3 security release.Apr 20 2016, 3:09 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:26 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:08 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL