Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F188047
T91850.patch
csteipp (Chris Steipp)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
csteipp
Jul 1 2015, 5:59 PM
2015-07-01 17:59:03 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T91850.patch
View Options
From 0e0d9a53454149fa1d97a6bdede664dfe2b8d3c7 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 11 Mar 2015 18:44:44 -0700
Subject: [PATCH] SECURITY: Throttle uploads
Add throttle check in ApiUpload and SpecialUpload.
Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
---
includes/DefaultSettings.php | 6 ++++++
includes/api/ApiUpload.php | 5 +++++
includes/specials/SpecialUpload.php | 5 +++++
includes/upload/UploadBase.php | 10 ++++++++++
4 files changed, 26 insertions(+)
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 6f2f5b9..3232262 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5174,6 +5174,12 @@ $wgRateLimits = array(
'ip' => null, // for each anon and recent account
'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in IPv6
),
+ 'upload' => array(
+ 'user' => null,
+ 'newbie' => null,
+ 'ip' => null,
+ 'subnet' => null,
+ ),
'move' => array(
'user' => null,
'newbie' => null,
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 54294c9..cc148cd 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -70,6 +70,11 @@ class ApiUpload extends ApiBase {
// First check permission to upload
$this->checkPermissions( $user );
+ // Check throttle
+ if ( UploadBase::isThrottled( $user ) ) {
+ $this->dieUsageMsg( 'actionthrottledtext' );
+ }
+
// Fetch the file (usually a no-op)
/** @var $status Status */
$status = $this->mUpload->fetchFile();
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index 6b0bf41..be719bf 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -174,6 +174,11 @@ class SpecialUpload extends SpecialPage {
throw new UserBlockedError( $user->getBlock() );
}
+ # Check Throttle
+ if ( UploadBase::isThrottled( $user ) ) {
+ throw new ThrottledError();
+ }
+
# Check whether we actually want to allow changing stuff
$this->checkReadOnly();
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 426c752..287c5fe 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -128,6 +128,16 @@ abstract class UploadBase {
return true;
}
+ /**
+ * Returns true if the user has surpassed the upload rate limit, false otherwise.
+ *
+ * @param User $user
+ * @return bool
+ */
+ public static function isThrottled( $user ) {
+ return $user->pingLimiter( 'upload' );
+ }
+
// Upload handlers. Should probably just be a global.
private static $uploadHandlers = array( 'Stash', 'File', 'Url' );
--
1.8.4.5
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
180572
Default Alt Text
T91850.patch (2 KB)
Attached To
Mode
T91850: No rate limits on uploading files
Attached
Detach File
Event Timeline
Log In to Comment