From 6b3f05d46d6f033ebda3b078eca5186a8748088e Mon Sep 17 00:00:00 2001 From: Chad Horohoe Date: Tue, 13 Mar 2018 18:43:30 +0000 Subject: [PATCH] SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limit The order of operations was incorrect. Bug: T169545 Change-Id: Ia910aa2a494914d3b0017daac9ab294ea9fa8705 --- RELEASE-NOTES-1.31 | 1 + includes/user/User.php | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31 index 4331e4f457..661d2690aa 100644 --- a/RELEASE-NOTES-1.31 +++ b/RELEASE-NOTES-1.31 @@ -10,6 +10,7 @@ This is a security and maintenance release of the MediaWiki 1.31 branch. * (T198687) Fix various selectFields methods to use the string 'NULL', not null. * Special:BotPasswords now requires reauthentication. * (T191608, T187638) Add 'logid' parameter to Special:Log. +* (T169545) $wgRateLimits entry for 'user' overrides that for 'newbie'. == MediaWiki 1.31 == diff --git a/includes/user/User.php b/includes/user/User.php index ea395f4acd..aa211841f8 100644 --- a/includes/user/User.php +++ b/includes/user/User.php @@ -2108,10 +2108,6 @@ class User implements IDBAccessObject, UserIdentity { if ( isset( $limits['user'] ) ) { $userLimit = $limits['user']; } - // limits for newbie logged-in users - if ( $isNewbie && isset( $limits['newbie'] ) ) { - $keys[$cache->makeKey( 'limiter', $action, 'user', $id )] = $limits['newbie']; - } } // limits for anons and for newbie logged-in users @@ -2143,6 +2139,11 @@ class User implements IDBAccessObject, UserIdentity { } } + // limits for newbie logged-in users (override all the normal user limits) + if ( $id !== 0 && $isNewbie && isset( $limits['newbie'] ) ) { + $userLimit = $limits['newbie']; + } + // Set the user limit key if ( $userLimit !== false ) { list( $max, $period ) = $userLimit; -- 2.17.1