From 0e0d9a53454149fa1d97a6bdede664dfe2b8d3c7 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 11 Mar 2015 18:44:44 -0700
Subject: [PATCH] SECURITY: Throttle uploads

Add throttle check in ApiUpload and SpecialUpload.

Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
---
 includes/DefaultSettings.php        |  6 ++++++
 includes/api/ApiUpload.php          |  5 +++++
 includes/specials/SpecialUpload.php |  5 +++++
 includes/upload/UploadBase.php      | 10 ++++++++++
 4 files changed, 26 insertions(+)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 6f2f5b9..3232262 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5174,6 +5174,12 @@ $wgRateLimits = array(
 		'ip' => null, // for each anon and recent account
 		'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in IPv6
 	),
+	'upload' => array(
+		'user' => null,
+		'newbie' => null,
+		'ip' => null,
+		'subnet' => null,
+	),
 	'move' => array(
 		'user' => null,
 		'newbie' => null,
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 54294c9..cc148cd 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -70,6 +70,11 @@ class ApiUpload extends ApiBase {
 		// First check permission to upload
 		$this->checkPermissions( $user );
 
+		// Check throttle
+		if ( UploadBase::isThrottled( $user ) ) {
+			$this->dieUsageMsg( 'actionthrottledtext' );
+		}
+
 		// Fetch the file (usually a no-op)
 		/** @var $status Status */
 		$status = $this->mUpload->fetchFile();
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index 6b0bf41..be719bf 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -174,6 +174,11 @@ class SpecialUpload extends SpecialPage {
 			throw new UserBlockedError( $user->getBlock() );
 		}
 
+		# Check Throttle
+		if ( UploadBase::isThrottled( $user ) ) {
+			throw new ThrottledError();
+		}
+
 		# Check whether we actually want to allow changing stuff
 		$this->checkReadOnly();
 
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 426c752..287c5fe 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -128,6 +128,16 @@ abstract class UploadBase {
 		return true;
 	}
 
+	/**
+	 * Returns true if the user has surpassed the upload rate limit, false otherwise.
+	 *
+	 * @param User $user
+	 * @return bool
+	 */
+	public static function isThrottled( $user ) {
+		return $user->pingLimiter( 'upload' );
+	}
+
 	// Upload handlers. Should probably just be a global.
 	private static $uploadHandlers = array( 'Stash', 'File', 'Url' );
 
-- 
1.8.4.5