#11938 closed defect (bug) (wontfix)
Akismet doesn't take the HTTP_X_FORWARDED_HOST into account, sees all comments as spam
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | General | Version: | 2.9.1 |
| Severity: | normal | Keywords: | close has-patch |
| Cc: |
Description
On some installations, requests are forwarded to separate 'PHP workers' and the original REMOTE_ADDR key in the $_SERVER superglobal might be changed to the forwarders IP instead of the original commenter. This means that all requests have the same REMOTE_ADDR when send to the Akismet servers and therefore are all seen as spam.
The forwarding servers add an extra header to the HTTP request called 'HTTP_X_FORWARDED_HOST' that contains the original IP.
I've attached a patch that uses this address if it's available, else it does take the normal 'REMOTE_ADDR' key into account.
Attachments (1)
Change History (5)
- Keywords close has-patch added
- Milestone changed from 2.9.2 to Unassigned
- Milestone Unassigned deleted
- Resolution set to wontfix
- Status changed from new to closed
comment:4
miqrogroove — 3 years ago
wontfix is fine. I'd go so far as to say invalid because HTTP requests are not usable in the manner suggested by OP. You'd have a CVE slapped on WordPress trunk faster than you can finish beta testing.
This should be reported on the Akismet site.