Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F23421768
01-T169545-master.patch
Reedy (Sam Reed)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Reedy
Jul 7 2018, 5:54 PM
2018-07-07 17:54:18 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
01-T169545-master.patch
View Options
From efabe4d009fe403b63f388078f6db8b750fbde42 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <chadh@wikimedia.org>
Date: Tue, 13 Mar 2018 18:43:30 +0000
Subject: [PATCH] SECURITY: Make 'newbie' limit in $wgRateLimits really
override 'user' limit
The order of operations was incorrect.
Bug: T169545
Change-Id: Ia910aa2a494914d3b0017daac9ab294ea9fa8705
---
includes/user/User.php | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/includes/user/User.php b/includes/user/User.php
index ab791b4caa..d82ae7f4fc 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -2104,10 +2104,6 @@ class User implements IDBAccessObject, UserIdentity {
if ( isset( $limits['user'] ) ) {
$userLimit = $limits['user'];
}
- // limits for newbie logged-in users
- if ( $isNewbie && isset( $limits['newbie'] ) ) {
- $keys[$cache->makeKey( 'limiter', $action, 'user', $id )] = $limits['newbie'];
- }
}
// limits for anons and for newbie logged-in users
@@ -2139,6 +2135,11 @@ class User implements IDBAccessObject, UserIdentity {
}
}
+ // limits for newbie logged-in users (override all the normal user limits)
+ if ( $id !== 0 && $isNewbie && isset( $limits['newbie'] ) ) {
+ $userLimit = $limits['newbie'];
+ }
+
// Set the user limit key
if ( $userLimit !== false ) {
list( $max, $period ) = $userLimit;
--
2.11.0
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
6109410
Default Alt Text
01-T169545-master.patch (1 KB)
Attached To
Mode
T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release
Attached
Detach File
T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503)
Attached
Detach File
Event Timeline
Log In to Comment