WordPress.org

Make WordPress Core

Ticket #13791: 13791.2.diff

File 13791.2.diff, 6.5 KB (added by mdawaffe, 8 years ago)

Removes second nonce from wp_comment_reply()

  • wp-comments-post.php

     
    5555// If the user is logged in
    5656$user = wp_get_current_user();
    5757if ( $user->ID ) {
     58        check_admin_referer( "submit-comment_$comment_post_ID", '_wp_comment_nonce' );
     59
    5860        if ( empty( $user->display_name ) )
    5961                $user->display_name=$user->user_login;
    6062        $comment_author       = $wpdb->escape($user->display_name);
    6163        $comment_author_email = $wpdb->escape($user->user_email);
    6264        $comment_author_url   = $wpdb->escape($user->user_url);
     65
    6366        if ( current_user_can('unfiltered_html') ) {
    64                 if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
    65                         kses_remove_filters(); // start with a clean slate
    66                         kses_init_filters(); // set up the filters
    67                 }
     67                kses_remove_filters(); // start with a clean slate
     68                kses_init_filters(); // set up the filters
    6869        }
    6970} else {
    7071        if ( get_option('comment_registration') || 'private' == $status )
  • wp-includes/default-filters.php

     
    227227add_action( 'publish_post',               '_publish_post_hook',       5, 1 );
    228228add_action( 'save_post',                  '_save_post_hook',          5, 2 );
    229229add_action( 'transition_post_status',     '_transition_post_status',  5, 3 );
    230 add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        );
     230add_action( 'comment_form',               'wp_comment_form_nonce'          );
    231231add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            );
     232add_action( 'pre_comment_on_post',        'wp_comment_impersonation'       );
     233add_action( 'comment_impersonation',      'wp_comment_impersonation_email' );
    232234
    233235// Navigation menu actions
    234236add_action( 'trash_post',                 '_wp_trash_menu_item'            );
  • wp-includes/comment.php

     
    18361836                $client->query('weblogUpdates.ping', get_option('blogname'), $home);
    18371837}
    18381838
     1839
     1840/**
     1841 * Hook for preventing comment impersonation of registered user by logged out
     1842 * user.
     1843 *
     1844 * Impersonation of registered user by logged in user handled by
     1845 * wp-comments-post.php
     1846 *
     1847 * CSRF protection for logged in users provided by wp_comment_form_nonce()
     1848 *
     1849 * @since 3.1
     1850 * @uses do_action() Calls 'comment_impersonation' hook.
     1851 */
     1852function wp_comment_impersonation() {
     1853        global $current_user;
     1854
     1855        // It's a registered user.  Depend on:
     1856        //   CSRF prevention in wp_comment_form_nonce()
     1857        //   form submission overwrite in wp-comments-post.php
     1858        if ( $current_user->ID )
     1859                return;
     1860
     1861        do_action( 'comment_impersonation' );
     1862}
     1863
     1864/**
     1865 * Default comment impersonation prevention method.
     1866 *
     1867 * Attached to 'comment_impersonation' hook.
     1868 *
     1869 * @since 3.1
     1870 * @uses wp_comment_impersonation_email_check()
     1871 */
     1872function wp_comment_impersonation_email() {
     1873        add_filter( 'pre_comment_author_email', 'wp_comment_impersonation_email_check', 100 );
     1874}
     1875
     1876/**
     1877 * Checks email submitted by non-logged-in commenter to catch impersonation
     1878 * attempts.
     1879 *
     1880 * Attached to 'pre_comment_author_email' hook by
     1881 * wp_comment_impersonation_email()
     1882 *
     1883 * @since 3.1
     1884 *
     1885 * @param string $email Email address to check
     1886 * @return string unchanged email or wp_die()
     1887 */
     1888function wp_comment_impersonation_email_check( $email ) {
     1889        if ( get_user_by_email( $email ) )
     1890                wp_die( __( 'Howdy, Mr. Abagnale.' ) );
     1891
     1892        return $email;
     1893}
     1894
    18391895//
    18401896// Cache
    18411897//
  • wp-includes/comment-template.php

     
    770770}
    771771
    772772/**
    773  * Displays form token for unfiltered comments.
     773 * Displays form token for comments.
    774774 *
    775  * Will only display nonce token if the current user has permissions for
    776  * unfiltered html. Won't display the token for other users.
     775 * CSRF protection for comments from registered users.  Does not protect against
     776 * "manual" impersonation.
    777777 *
    778  * The function was backported to 2.0.10 and was added to versions 2.1.3 and
    779  * above. Does not exist in versions prior to 2.0.10 in the 2.0 branch and in
    780  * the 2.1 branch, prior to 2.1.3. Technically added in 2.2.0.
    781  *
    782  * Backported to 2.0.10.
    783  *
    784778 * @since 2.1.3
     779 * @since 2.0.10
    785780 * @uses $post Gets the ID of the current post for the token
    786781 */
    787 function wp_comment_form_unfiltered_html_nonce() {
     782function wp_comment_form_nonce() {
    788783        global $post;
    789784
    790785        $post_id = 0;
    791786        if ( !empty($post) )
    792787                $post_id = $post->ID;
    793788
    794         if ( current_user_can('unfiltered_html') )
    795                 wp_nonce_field('unfiltered-html-comment_' . $post_id, '_wp_unfiltered_html_comment', false);
     789        wp_nonce_field( "submit-comment_$post_id", '_wp_comment_nonce', false );
    796790}
    797791
    798792/**
  • wp-admin/admin-ajax.php

     
    721721                $comment_author_email = $wpdb->escape($user->user_email);
    722722                $comment_author_url   = $wpdb->escape($user->user_url);
    723723                $comment_content      = trim($_POST['content']);
     724               
    724725                if ( current_user_can('unfiltered_html') ) {
    725                         if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
    726                                 kses_remove_filters(); // start with a clean slate
    727                                 kses_init_filters(); // set up the filters
    728                         }
     726                        kses_remove_filters(); // start with a clean slate
     727                        kses_init_filters(); // set up the filters
    729728                }
    730729        } else {
    731730                die( __('Sorry, you must be logged in to reply to a comment.') );
  • wp-admin/includes/template.php

     
    22872287        <input type="hidden" name="checkbox" id="checkbox" value="<?php echo $checkbox ? 1 : 0; ?>" />
    22882288        <input type="hidden" name="mode" id="mode" value="<?php echo esc_attr($mode); ?>" />
    22892289        <?php wp_nonce_field( 'replyto-comment', '_ajax_nonce-replyto-comment', false ); ?>
    2290         <?php wp_comment_form_unfiltered_html_nonce(); ?>
    22912290<?php if ( $table_row ) : ?>
    22922291</td></tr></tbody></table>
    22932292<?php else : ?>