On Wed, Aug 13, 2008 at 6:29 PM, <aaron(a)svn.wikimedia.org> wrote:
> Log Message:
> -----------
> I really don't like the idea of invalid IPs sending these passwords out
> . . .
> Modified: trunk/phase3/includes/specials/SpecialUserlogin.php
> . . .
> - if ( '' == $ip ) { $ip = '(Unknown)'; }
> + if( !$ip ) {
> + return new WikiError( wfMsg( 'badipaddress' ) );
> + }
> + #if ( '' == $ip ) { $ip = '(Unknown)'; }
Under what circumstances would the $ip ever be invalid? Where
$_SERVER['REMOTE_ADDR'] is unset? When might that be? If there's no
known circumstance, this chunk of code should just be removed. If
there is one, wfGetIP()'s documentation should be updated (but whether
this change is reasonable depends on when wfGetIP() might fail).
Overall, I have a hard time imagining why a strange IP address should
merit blocking e-mail reset requests.