Page MenuHomePhabricator
Files F188047

T91850.patch
csteipp (Chris Steipp)
Actions

Authored By
csteipp
Jul 1 2015, 5:59 PM
Size
2 KB
Referenced Files
None
Subscribers
None

T91850.patch
View Options

From 0e0d9a53454149fa1d97a6bdede664dfe2b8d3c7 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 11 Mar 2015 18:44:44 -0700
Subject: [PATCH] SECURITY: Throttle uploads
Add throttle check in ApiUpload and SpecialUpload.
Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
---
includes/DefaultSettings.php | 6 ++++++
includes/api/ApiUpload.php | 5 +++++
includes/specials/SpecialUpload.php | 5 +++++
includes/upload/UploadBase.php | 10 ++++++++++
4 files changed, 26 insertions(+)
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 6f2f5b9..3232262 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5174,6 +5174,12 @@ $wgRateLimits = array(
'ip' => null, // for each anon and recent account
'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in IPv6
),
+ 'upload' => array(
+ 'user' => null,
+ 'newbie' => null,
+ 'ip' => null,
+ 'subnet' => null,
+ ),
'move' => array(
'user' => null,
'newbie' => null,
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 54294c9..cc148cd 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -70,6 +70,11 @@ class ApiUpload extends ApiBase {
// First check permission to upload
$this->checkPermissions( $user );
+ // Check throttle
+ if ( UploadBase::isThrottled( $user ) ) {
+ $this->dieUsageMsg( 'actionthrottledtext' );
+ }
+
// Fetch the file (usually a no-op)
/** @var $status Status */
$status = $this->mUpload->fetchFile();
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index 6b0bf41..be719bf 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -174,6 +174,11 @@ class SpecialUpload extends SpecialPage {
throw new UserBlockedError( $user->getBlock() );
}
+ # Check Throttle
+ if ( UploadBase::isThrottled( $user ) ) {
+ throw new ThrottledError();
+ }
+
# Check whether we actually want to allow changing stuff
$this->checkReadOnly();
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 426c752..287c5fe 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -128,6 +128,16 @@ abstract class UploadBase {
return true;
}
+ /**
+ * Returns true if the user has surpassed the upload rate limit, false otherwise.
+ *
+ * @param User $user
+ * @return bool
+ */
+ public static function isThrottled( $user ) {
+ return $user->pingLimiter( 'upload' );
+ }
+
// Upload handlers. Should probably just be a global.
private static $uploadHandlers = array( 'Stash', 'File', 'Url' );
--
1.8.4.5

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
180572
Default Alt Text
T91850.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL