On Wed, Aug 13, 2008 at 6:29 PM, aaron@svn.wikimedia.org wrote:

Log Message:

I really don't like the idea of invalid IPs sending these passwords out . . . Modified: trunk/phase3/includes/specials/SpecialUserlogin.php . . .

•           if ( '' == $ip ) { $ip = '(Unknown)'; }
  

•           if( !$ip ) {
  

•                   return new WikiError( wfMsg( 'badipaddress' ) );
  

•           }
  

•           #if ( '' == $ip ) { $ip = '(Unknown)'; }
  

Under what circumstances would the $ip ever be invalid? Where $_SERVER['REMOTE_ADDR'] is unset? When might that be? If there's no known circumstance, this chunk of code should just be removed. If there is one, wfGetIP()'s documentation should be updated (but whether this change is reasonable depends on when wfGetIP() might fail).

Overall, I have a hard time imagining why a strange IP address should merit blocking e-mail reset requests.