Page MenuHomePhabricator
Files F2724581

T91850c-REL1_23.patch
demon (Chad Horohoe)
Actions

Authored By
demon
Oct 15 2015, 8:24 PM
Size
2 KB
Referenced Files
None
Subscribers
None

T91850c-REL1_23.patch
View Options

From 385d2ac6b8d26b814da683e5b63ddce879569e32 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <chadh@wikimedia.org>
Date: Thu, 15 Oct 2015 12:48:47 -0700
Subject: [PATCH] SECURITY: Throttle uploads
Add throttle check in ApiUpload and SpecialUpload.
Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
---
includes/DefaultSettings.php | 6 ++++++
includes/api/ApiUpload.php | 6 ++++++
includes/specials/SpecialUpload.php | 8 ++++++++
includes/upload/UploadBase.php | 10 ++++++++++
4 files changed, 30 insertions(+)
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index e0ab60a..cededac 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4768,6 +4768,12 @@ $wgRateLimits = array(
'ip' => null, // for each anon and recent account
'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in IPv6
),
+ 'upload' => array(
+ 'user' => null,
+ 'newbie' => null,
+ 'ip' => null,
+ 'subnet' => null,
+ ),
'move' => array(
'user' => null,
'newbie' => null,
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 30f8adb..354bd0d 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -139,6 +139,12 @@ class ApiUpload extends ApiBase {
return $this->getStashResult( $warnings );
}
+ // Check throttle after we've handled warnings
+ if ( UploadBase::isThrottled( $this->getUser() )
+ ) {
+ $this->dieUsageMsg( 'actionthrottledtext' );
+ }
+
// This is the most common case -- a normal upload with no warnings
// performUpload will return a formatted properly for the API with status
return $this->performUpload( $warnings );
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index b46f942..30b621e 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -450,6 +450,14 @@ class SpecialUpload extends SpecialPage {
}
}
+ // This is as late as we can throttle, after expected issues have been handled
+ if ( UploadBase::isThrottled( $this->getUser() ) ) {
+ $this->showRecoverableUploadError(
+ $this->msg( 'actionthrottledtext' )->escaped()
+ );
+ return;
+ }
+
// Get the page text if this is not a reupload
if ( !$this->mForReUpload ) {
$pageText = self::getInitialPageText( $this->mComment, $this->mLicense,
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index eb33220..73d9143 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -123,6 +123,16 @@ abstract class UploadBase {
return true;
}
+ /**
+ * Returns true if the user has surpassed the upload rate limit, false otherwise.
+ *
+ * @param User $user
+ * @return bool
+ */
+ public static function isThrottled( $user ) {
+ return $user->pingLimiter( 'upload' );
+ }
+
// Upload handlers. Should probably just be a global.
static $uploadHandlers = array( 'Stash', 'File', 'Url' );
--
2.6.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2736996
Default Alt Text
T91850c-REL1_23.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits