id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
13791,Prevent comment author impersonation,mdawaffe,,"Currently any logged out commenter can create a comment using a registered user's name and email address.  Blog viewers can't tell the difference unless the theme styles the comments differently based on the comment's user_id.  Even then, the user_id of a user without the unfiltered_html cap can by spoofed via CSRF.

Whether the comment was submitted by a logged in user is not displayed admin-side either.

To prevent impersonation, the attached:
 1. Extends CSRF protection to cover all logged in commenters, not just the unfiltered comment content of logged in commenters with the unfiltered_html cap.
 2. Fires a new {{{comment_impersonation}}} action during the {{{pre_comment_on_post}}} hook only for logged out users.  Attaching it to {{{pre_comment_on_post}}} ensures the new hook does not get fired during imports.
 3. Adds an impersonation detector to that new hook to check {{{pre_comment_author_email}}} for email addresses of registered users.
 4. If impersonation is detected, {{{wp_die()}}}s.

Impersonation of registered users by logged in users is already prevented by wp-comments-post.php (it overwrites the email/name/url submitted by logged in users).

Impersonation of registered users by logged out users is caught by the attached.

Impersonation of unregistered users is fine: let Anonymous have its freedom.

""Impersonation"" of registered users by CSRF is prevented by noncing the form for all logged in commenters.",enhancement,closed,normal,,Comments,2.9.2,normal,duplicate,has-patch,