T127114-master.patch
No One
Actions

Authored By

	Bawolff
	May 9 2016, 8:06 AM

Size

1 KB

Referenced Files

None

Subscribers

None

T127114-master.patch
View Options

	From 588ce42cee4dd2d4e6bd216e1651d3c1286d1749 Mon Sep 17 00:00:00 2001
	From: Brian Wolff <bawolff+wn@gmail.com>
	Date: Mon, 9 May 2016 03:51:01 -0400
	Subject: [PATCH] [SECURITY] Canonicalize usernames before rate limiting logins

	Bug: T127114
	Change-Id: I020cecf345c6bad4f461b70203f0bd29792de1f8
	---
	includes/specials/SpecialUserlogin.php \| 6 ++++--
	1 file changed, 4 insertions(+), 2 deletions(-)

	diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
	index a77c79e..19d1b6a 100644
	--- a/includes/specials/SpecialUserlogin.php
	+++ b/includes/specials/SpecialUserlogin.php
	@@ -894,7 +894,8 @@ class LoginForm extends SpecialPage {
	*/
	public static function incrementLoginThrottle( $username ) {
	global $wgPasswordAttemptThrottle, $wgRequest;
	- $username = User::getCanonicalName( $username, 'usable' ) ?: $username;
	+ $canUsername = User::getCanonicalName( $username, 'usable' );
	+ $username = $canUsername !== false ? $canUsername : $username;

	$throttleCount = 0;
	if ( is_array( $wgPasswordAttemptThrottle ) ) {
	@@ -979,7 +980,8 @@ class LoginForm extends SpecialPage {
	*/
	public static function clearLoginThrottle( $username ) {
	global $wgRequest, $wgPasswordAttemptThrottle;
	- $username = User::getCanonicalName( $username, 'usable' ) ?: $username;
	+ $canUsername = User::getCanonicalName( $username, 'usable' );
	+ $username = $canUsername !== false ? $canUsername : $username;

	if ( is_array( $wgPasswordAttemptThrottle ) ) {
	$throttleConfig = $wgPasswordAttemptThrottle;
	--
	2.0.1

Attached To	Mode
T127114: Login throttle can be tricked using non-canonicalized usernames	Attached	Detach File
T124940: MediaWiki 1.26.3 security release	Attached	Detach File