From 385d2ac6b8d26b814da683e5b63ddce879569e32 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <chadh@wikimedia.org>
Date: Thu, 15 Oct 2015 12:48:47 -0700
Subject: [PATCH] SECURITY: Throttle uploads

Add throttle check in ApiUpload and SpecialUpload.

Bug: T91850
Change-Id: If33cc99f304aab2486507c7500b4abb06b6b5d70
---
 includes/DefaultSettings.php        |  6 ++++++
 includes/api/ApiUpload.php          |  6 ++++++
 includes/specials/SpecialUpload.php |  8 ++++++++
 includes/upload/UploadBase.php      | 10 ++++++++++
 4 files changed, 30 insertions(+)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index e0ab60a..cededac 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4768,6 +4768,12 @@ $wgRateLimits = array(
 		'ip' => null, // for each anon and recent account
 		'subnet' => null, // ... within a /24 subnet in IPv4 or /64 in IPv6
 	),
+	'upload' => array(
+		'user' => null,
+		'newbie' => null,
+		'ip' => null,
+		'subnet' => null,
+	),
 	'move' => array(
 		'user' => null,
 		'newbie' => null,
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 30f8adb..354bd0d 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -139,6 +139,12 @@ class ApiUpload extends ApiBase {
 			return $this->getStashResult( $warnings );
 		}
 
+		// Check throttle after we've handled warnings
+		if ( UploadBase::isThrottled( $this->getUser() )
+		) {
+			$this->dieUsageMsg( 'actionthrottledtext' );
+		}
+
 		// This is the most common case -- a normal upload with no warnings
 		// performUpload will return a formatted properly for the API with status
 		return $this->performUpload( $warnings );
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index b46f942..30b621e 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -450,6 +450,14 @@ class SpecialUpload extends SpecialPage {
 			}
 		}
 
+		// This is as late as we can throttle, after expected issues have been handled
+		if ( UploadBase::isThrottled( $this->getUser() ) ) {
+			$this->showRecoverableUploadError(
+				$this->msg( 'actionthrottledtext' )->escaped()
+			);
+			return;
+		}
+
 		// Get the page text if this is not a reupload
 		if ( !$this->mForReUpload ) {
 			$pageText = self::getInitialPageText( $this->mComment, $this->mLicense,
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index eb33220..73d9143 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -123,6 +123,16 @@ abstract class UploadBase {
 		return true;
 	}
 
+	/**
+	 * Returns true if the user has surpassed the upload rate limit, false otherwise.
+	 *
+	 * @param User $user
+	 * @return bool
+	 */
+	public static function isThrottled( $user ) {
+		return $user->pingLimiter( 'upload' );
+	}
+
 	// Upload handlers. Should probably just be a global.
 	static $uploadHandlers = array( 'Stash', 'File', 'Url' );
 
-- 
2.6.1