Page MenuHomePhabricator

01-T169545-REL1_29.patch

Authored By
Reedy
Jul 7 2018, 5:54 PM
Size
1 KB
Referenced Files
None
Subscribers
None

01-T169545-REL1_29.patch

From 3a1a2ca502c532abea30c39eb1119e09a01d6783 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <chadh@wikimedia.org>
Date: Tue, 13 Mar 2018 18:43:30 +0000
Subject: [PATCH] SECURITY: Make 'newbie' limit in $wgRateLimits really
override 'user' limit
The order of operations was incorrect.
Bug: T169545
Change-Id: Ia910aa2a494914d3b0017daac9ab294ea9fa8705
---
RELEASE-NOTES-1.29 | 1 +
includes/user/User.php | 9 +++++----
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 2186691690..3d576b35d0 100644
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -26,6 +26,7 @@ This is a security and maintenance release of the MediaWiki 1.29 branch.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T169545) $wgRateLimits entry for 'user' overrides that for 'newbie'.
== MediaWiki 1.29.2 ==
diff --git a/includes/user/User.php b/includes/user/User.php
index 3edd49f783..7876d8a278 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -1937,10 +1937,6 @@ class User implements IDBAccessObject {
if ( isset( $limits['user'] ) ) {
$userLimit = $limits['user'];
}
- // limits for newbie logged-in users
- if ( $isNewbie && isset( $limits['newbie'] ) ) {
- $keys[wfMemcKey( 'limiter', $action, 'user', $id )] = $limits['newbie'];
- }
}
// limits for anons and for newbie logged-in users
@@ -1972,6 +1968,11 @@ class User implements IDBAccessObject {
}
}
+ // limits for newbie logged-in users (override all the normal user limits)
+ if ( $id !== 0 && $isNewbie && isset( $limits['newbie'] ) ) {
+ $userLimit = $limits['newbie'];
+ }
+
// Set the user limit key
if ( $userLimit !== false ) {
list( $max, $period ) = $userLimit;
--
2.17.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
6109409
Default Alt Text
01-T169545-REL1_29.patch (1 KB)

Event Timeline