MediaWiki r38886 - Code Review

Jump to: navigation, search
Repository:MediaWiki
Revision:r38885‎ | r38886 (on ViewVC)‎ | r38887 >
Date:11:49, 8 August 2008
Author:werdna
Status:old
Tags:
Comment:
* (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5 minutes.
Modified paths:

Diff [purge]

Index: trunk/phase3/includes/DefaultSettings.php
===================================================================
--- trunk/phase3/includes/DefaultSettings.php	(revision 38885)
+++ trunk/phase3/includes/DefaultSettings.php	(revision 38886)
@@ -3357,3 +3357,9 @@
  * ting this variable false.
  */
 $wgUseAutomaticEditSummaries = true;
+
+/**
+ * Limit password attempts to X attempts per Y seconds per IP per account.
+ * Requires memcached.
+ */
+$wgPasswordAttemptThrottle = array( 5, 300 );
\ No newline at end of file
Index: trunk/phase3/includes/specials/SpecialUserlogin.php
===================================================================
--- trunk/phase3/includes/specials/SpecialUserlogin.php	(revision 38885)
+++ trunk/phase3/includes/specials/SpecialUserlogin.php	(revision 38886)
@@ -33,6 +33,7 @@
 	const RESET_PASS = 7;
 	const ABORTED = 8;
 	const CREATE_BLOCKED = 9;
+	const THROTTLED = 10;
 
 	var $mName, $mPassword, $mRetype, $mReturnTo, $mCookieCheck, $mPosted;
 	var $mAction, $mCreateaccount, $mCreateaccountMail, $mMailmypassword;
@@ -372,6 +373,23 @@
 		if ( '' == $this->mName ) {
 			return self::NO_NAME;
 		}
+		
+		global $wgPasswordAttemptThrottle;
+		if (is_array($wgPasswordAttemptThrottle) && count($wgPasswordAttemptThrottle) >=2) {
+			list($count,$period) = $wgPasswordAttemptThrottle;
+			$key = wfMemcKey( 'password-throttle', wfGetIP(), $this->mName );
+			
+			global $wgMemc;
+			$cur = $wgMemc->get($key);
+			if ($cur>0 && $cur<$count) {
+				$wgMemc->incr($key);
+				// Okay
+			} elseif ($cur>0) {
+				return self::THROTTLED;
+			} elseif (!$cur) {
+				$wgMemc->add( $key, 1, $period );
+			}
+		}
 
 		// Load $wgUser now, and check to see if we're logging in as the same name. 
 		// This is necessary because loading $wgUser (say by calling getName()) calls
@@ -541,6 +559,9 @@
 			case self::CREATE_BLOCKED:
 				$this->userBlockedMessage();
 				break;
+			case self::THROTTLED:
+				$this->mainLoginForm( wfMsg( 'login-throttled' ) );
+				break;
 			default:
 				throw new MWException( "Unhandled case value" );
 		}
Index: trunk/phase3/languages/messages/MessagesEn.php
===================================================================
--- trunk/phase3/languages/messages/MessagesEn.php	(revision 38885)
+++ trunk/phase3/languages/messages/MessagesEn.php	(revision 38886)
@@ -971,6 +971,7 @@
 You should log in and change your password now.
 
 You may ignore this message, if this account was created in error.',
+'login-throttled'	     => "You have made too many recent attempts on this account's password. Please wait before trying again.",
 'loginlanguagelabel'         => 'Language: $1',
 'loginlanguagelinks'         => '* Deutsch|de
 * English|en
Index: trunk/phase3/RELEASE-NOTES
===================================================================
--- trunk/phase3/RELEASE-NOTES	(revision 38885)
+++ trunk/phase3/RELEASE-NOTES	(revision 38886)
@@ -79,6 +79,7 @@
 * (bug 15055) Talk page notifications no longer attempt to send mail when
   user's e-mail address is invalid or unconfirmed
 * (bug 2443) Add image name as alt-text when no caption is provided.
+* (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5 minutes.
 
 === API changes in 1.14 ===

Follow-up revisions

Rev.Commit summaryAuthorDate
r38960Cleanup for r38886 "(bug 12370) Add throttle on password attempts. Defaults t...brion22:15, 8 August 2008

Status & tagging log

  • 15:29, 12 September 2011 Meno25 (Talk | contribs) changed the status of r38886 [removed: ok added: old]
Retrieved from "http://www.mediawiki.org/wiki/Special:Code/MediaWiki/38886"
Personal tools
Namespaces
Variants
Views
Actions
Site
Support
Download
Development
Communication
Toolbox