From cea8b82e79fe81b6f18d25e2a74d2fc0b2418493 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Tue, 17 May 2016 15:18:20 -0700
Subject: [PATCH] SECURITY: Canonicalize usernames before rate limiting logins

Bug: T127114
Change-Id: If54b01efbdd129d480943be6b0d92ed6406a16a0
---
 includes/specialpage/LoginSignupSpecialPage.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/includes/specialpage/LoginSignupSpecialPage.php b/includes/specialpage/LoginSignupSpecialPage.php
index 0e4252c..31da1cd 100644
--- a/includes/specialpage/LoginSignupSpecialPage.php
+++ b/includes/specialpage/LoginSignupSpecialPage.php
@@ -1559,7 +1559,8 @@ class LoginFormAuthManager extends SpecialPage {
 	public static function incrementLoginThrottle( $username ) {
 		wfDeprecated( __METHOD__, "1.27" );
 		global $wgRequest;
-		$username = User::getCanonicalName( $username, 'usable' ) ?: $username;
+		$canUsername = User::getCanonicalName( $username, 'usable' );
+		$username = $canUsername !== false ? $canUsername : $username;
 		$throttler = new Throttler();
 		return $throttler->increase( $username, $wgRequest->getIP(), __METHOD__ );
 	}
@@ -1579,7 +1580,8 @@ class LoginFormAuthManager extends SpecialPage {
 	public static function clearLoginThrottle( $username ) {
 		wfDeprecated( __METHOD__, "1.27" );
 		global $wgRequest;
-		$username = User::getCanonicalName( $username, 'usable' ) ?: $username;
+		$canUsername = User::getCanonicalName( $username, 'usable' );
+		$username = $canUsername !== false ? $canUsername : $username;
 		$throttler = new Throttler();
 		return $throttler->clear( $username, $wgRequest->getIP() );
 	}
-- 
2.6.6