Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3885673
SECURITY: Rate limit moves via the API.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
Anomie
Apr 17 2016, 2:38 PM
2016-04-17 14:38:04 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
SECURITY: Rate limit moves via the API.patch
View Options
From 104007a0587e7a6be908309d21ad8988c1427f06 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sun, 17 Apr 2016 10:32:56 -0400
Subject: [PATCH] SECURITY: Rate limit moves via the API
While rate limiting has been applied to moves via the web UI since rate
limiting was first added, it appears that it was overlooked when ApiMove
was created.
This follows the same model as is followed by the web UI: each
submission to ApiMove is one "hit" for the rate limiter, even though
that submission might result in multiple pages being moved (e.g. the
page, its talk page, and its subpages) depending on the options and user
rights.
Bug: T132874
Change-Id: I564d8bfcc7dd3ad6d92dbbc33519a589697c0d4e
---
includes/api/ApiMove.php | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/includes/api/ApiMove.php b/includes/api/ApiMove.php
index 2fbd50e..29e67b0 100644
--- a/includes/api/ApiMove.php
+++ b/includes/api/ApiMove.php
@@ -72,6 +72,11 @@ class ApiMove extends ApiBase {
}
}
+ // Rate limit
+ if ( $user->pingLimiter( 'move' ) ) {
+ $this->dieUsageMsg( 'actionthrottledtext' );
+ }
+
// Move the page
$toTitleExists = $toTitle->exists();
$status = $this->movePage( $fromTitle, $toTitle, $params['reason'], !$params['noredirect'] );
--
2.8.0.rc3
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3663481
Default Alt Text
SECURITY: Rate limit moves via the API.patch (1 KB)
Attached To
Mode
T132874: API action=move is not rate limited
Attached
Detach File
Event Timeline
Log In to Comment