Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1634161 - (CVE-2018-0503) CVE-2018-0503 mediawiki: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie'
CVE-2018-0503 mediawiki: $wgRateLimits (rate limit / ping limiter) entry for ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20180924,reported=2...
: Security
Depends On: 1634162
Blocks: 1634171
  Show dependency treegraph
 
Reported: 2018-09-28 16:27 EDT by Pedro Sampaio
Modified: 2018-09-28 16:49 EDT (History)
12 users (show)

See Also:
Fixed In Version: mediawiki 1.31.1, mediawiki 1.30.1, mediawiki 1.29.3, mediawiki 1.27.5
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pedro Sampaio 2018-09-28 16:27:04 EDT
As reported:

Contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.

For example, with the following configuration, newly registered accounts are able to edit 10 pages per hour instead of 5:

$wgRateLimits[ 'edit' ] = [
  'user' => [ 10, 60*60 ],
  'newbie' => [ 5, 60*60 ],
];

This seems to be the opposite of what documentation in DefaultSettings.php says:

'newbie' => [ x, y ], // each new autoconfirmed accounts; overrides 'user'

(although that should probably be 'non-autoconfirmed'…).

Upstream bug:

https://phabricator.wikimedia.org/T169545

References:

https://lists.wikimedia.org/pipermail/mediawiki-announce/2018-September/000223.html
Comment 1 Pedro Sampaio 2018-09-28 16:28:15 EDT
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1634162]

Note You need to log in before you can comment on or make changes to this bug.