paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-31 12:03:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

rate_limit: Merge two IP rate limits domains that send emails.

Browse Source 
Both `create_realm_by_ip` and `find_account_by_ip` send emails to
arbitrary email addresses, and as such can be used to spam users.
Lump their IP rate limits into the same bucket; most legitimate users
will likely not be using both of these endpoints at similar times.

The rate is set at 5 in 30 minutes, the more quickly-restrictive of
the two previous rates.
This commit is contained in:
Alex Vandiver
2021-11-03 13:40:28 -07:00
committed by Tim Abbott
parent 5f0897e6f7
commit 0cfb156545
4 changed files with 24 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
zproject/test_extra_settings.py
View File

@@ -266,8 +266,7 @@ RATE_LIMITING_RULES: Dict[str, List[Tuple[int, int]]] = {
"api_by_ip": [],
"api_by_remote_server": [],
"authenticate_by_username": [],
"create_realm_by_ip": [],
"find_account_by_ip": [],
"sends_email_by_ip": [],
"password_reset_form_by_email": [],
}