Ticket #7245 (closed enhancement: fixed)

Opened 4 years ago

Last modified 19 months ago

Keep certain interval to fetch mail message

Reported by: lilyfan Owned by: westi
Priority: normal Milestone: 2.9
Component: Security Version: 2.0
Severity: minor Keywords: has-patch tested commit early
Cc:

Description

wp-mail.php is exposed to run by third-party. If a malicious user loads wp-mail.php continuously, the sequential access to a mail server will occur. To protect these attack, wp-mail.php needs to be invoked with certain intervals.

I propose a constatnt WP_MAIL_INTERVAL to define interval minutes, and a option value mailserver_last_checked to keep the datetime when WordPress checked the mail server. You can stop using wp-mail.php if WP_MAIL_INTERVAL is set to zero (0).

Attachments

wpmail.patch Download (717 bytes) - added by lilyfan 4 years ago.
Patch for wp-mail.php
7245.diff Download (676 bytes) - added by Denis-de-Bernardy 3 years ago.

Change History

lilyfan4 years ago

Patch for wp-mail.php

comment:1   lilyfan4 years ago

  • Milestone changed from 2.9 to 2.7

comment:2   matt3 years ago

  • Milestone changed from 2.7 to 2.9

comment:3   FFEMTcJ3 years ago

  • Keywords has-patch added
  • Milestone changed from 2.9 to 2.8

comment:4   Denis-de-Bernardy3 years ago

  • Keywords tested added

On a separate note, shouldn't we check that the mail servers aren't the default ones set by WP? It's like... poor example.com.

Plus, if whoever owns it actually sets up an account with the relevant details, he'll be posting on quite a bit of blogs. :D

comment:5   ryan3 years ago

  • Keywords needs-patch added; has-patch tested removed

Where is mailserver_last_checked set? Regardless, it needs to use get_transient() and set_transient() rather than options.

comment:6   janeforshort3 years ago

  • Milestone changed from 2.8 to Future Release

Punting to be evaluated in next development cycle due to time constraints.

Denis-de-Bernardy3 years ago

comment:7   Denis-de-Bernardy3 years ago

  • Keywords has-patch tested commit added; needs-patch removed
  • Milestone changed from Future Release to 2.8

new patch allows to disable post by email by defining the new constant to false.

comment:8   Denis-de-Bernardy3 years ago

  • Owner changed from anonymous to Denis-de-Bernardy
  • Status changed from new to accepted

comment:9   westi3 years ago

  • Keywords early added
  • Owner changed from Denis-de-Bernardy to westi
  • Milestone changed from 2.8 to 2.9

Patch looks good.

Would like to reduce the churn in 2.8 this close to release.

Marking for early 2.9 + backport to 2.8.1

comment:10   Denis-de-Bernardy3 years ago

still applies clean

comment:11   westi3 years ago

Current patch is a little broken.

Tidying up and will commit.

comment:12   westi3 years ago

  • Status changed from accepted to closed
  • Resolution set to fixed

(In [11782]) Limit wp-mail blog by email checks to every 5 minutes. Fixes #7245 based on patches from lilyfan and Denis-de-Bernardy.

comment:13 follow-up: ↓ 14   aaroncampbell3 years ago

I think that set_transient's second argument is a time in seconds. I know you said 5 minutes, but you set it to 500 seconds which is 8.3 minutes. Not sure how much that matters, but I thought I'd point it out.

comment:14 in reply to: ↑ 13   westi3 years ago

Replying to aaroncampbell:

I think that set_transient's second argument is a time in seconds. I know you said 5 minutes, but you set it to 500 seconds which is 8.3 minutes. Not sure how much that matters, but I thought I'd point it out.

Oops. As you identified that was meant to be 300 not 500.. failed when I switched in the working value after testing with a really small number!

comment:15   westi3 years ago

(In [11786]) Set the interval to 5 minutes like I meant. See #7245 props aaroncampbell.

Note: See TracTickets for help on using tickets.