r50368 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r50367‎ \| r50368 \| r50369 >
Date:	14:00, 9 May 2009
Author:	btongminh
Status:	ok (Comments)
Tags:
Comment:	Verify IP whitelisting on login and account creation as well.
Modified paths:	/trunk/extensions/ConfirmEdit/ConfirmEdit_body.php (modified) (history)

Diff [purge]

Index: trunk/extensions/ConfirmEdit/ConfirmEdit_body.php
—	—	@@ -214,6 +214,22 @@
215	215	}
216	216
217	217	/**
	218	+ * Check if the IP is allowed to skip captchas
	219	+ */
	220	+ function isIPWhitelisted() {
	221	+ global $wgCaptchaWhitelistIP;
	222	+ if( !empty( $wgCaptchaWhitelistIP ) ) {
	223	+ $ip = wfGetIp();
	224	+ foreach ( $wgCaptchaWhitelistIP as $range ) {
	225	+ if ( IP::isInRange( $ip, $range ) ) {
	226	+ return true;
	227	+ }
	228	+ }
	229	+ }
	230	+ return false;
	231	+ }
	232	+
	233	+ /**
218	234	* Internal cache key for badlogin checks.
219	235	* @return string
220	236	* @access private
—	—	@@ -268,15 +284,8 @@
269	285	wfDebug( "ConfirmEdit: user group allows skipping captcha\n" );
270	286	return false;
271	287	}
272		~~- global $wgCaptchaWhitelistIP;~~
273		~~- if( !empty( $wgCaptchaWhitelistIP ) ) {~~
274		~~- $ip = wfGetIp();~~
275		~~- foreach ( $wgCaptchaWhitelistIP as $range ) {~~
276		~~- if ( IP::isInRange( $ip, $range ) ) {~~
277		~~- return false;~~
278		~~- }~~
279		~~- }~~
280		~~- }~~
	288	+ if( $this->isIPWhitelisted() )
	289	+ return false;
281	290
282	291
283	292	global $wgEmailAuthentication, $ceAllowConfirmedEmail;
—	—	@@ -523,6 +532,9 @@
524	533	wfDebug( "ConfirmEdit: user group allows skipping captcha on account creation\n" );
525	534	return true;
526	535	}
	536	+ if( $this->isIPWhitelisted() )
	537	+ return true;
	538	+
527	539	$this->trigger = "new account '" . $u->getName() . "'";
528	540	if( !$this->passCaptcha() ) {
529	541	$message = wfMsg( 'captcha-createaccount-fail' );
—	—	@@ -540,6 +552,9 @@
541	553	*/
542	554	function confirmUserLogin( $u, $pass, &$retval ) {
543	555	if( $this->isBadLoginTriggered() ) {
	556	+ if( $this->isIPWhitelisted() )
	557	+ return true;
	558	+
544	559	$this->trigger = "post-badlogin login '" . $u->getName() . "'";
545	560	if( !$this->passCaptcha() ) {
546	561	$message = wfMsg( 'captcha-badlogin-fail' );

Comments

#Comment by Brion VIBBER (talk | contribs) 17:40, 11 May 2009

This looks like it would disable captcha rate limiting for login attempts when logged in with a privileged IP. This seems a little sketchy to me?

#Comment by Bryan (talk | contribs) 21:19, 12 May 2009

Isn't that the whole point of privileging an IP?

Status & tagging log

10:16, 4 June 2009 Tim Starling (talk | contribs) changed the status of r50368 [removed: fixme added: ok]
17:40, 11 May 2009 Brion VIBBER (talk | contribs) changed the status of r50368 [removed: new added: fixme]