WordPress.org

Make WordPress Core

Ticket #13791: 13791.diff

File 13791.diff, 5.8 KB (added by mdawaffe, 4 years ago)
  • wp-comments-post.php

     
    5555// If the user is logged in 
    5656$user = wp_get_current_user(); 
    5757if ( $user->ID ) { 
     58        check_admin_referer( "submit-comment_$comment_post_ID", '_wp_comment_nonce' ); 
     59 
    5860        if ( empty( $user->display_name ) ) 
    5961                $user->display_name=$user->user_login; 
    6062        $comment_author       = $wpdb->escape($user->display_name); 
    6163        $comment_author_email = $wpdb->escape($user->user_email); 
    6264        $comment_author_url   = $wpdb->escape($user->user_url); 
     65 
    6366        if ( current_user_can('unfiltered_html') ) { 
    64                 if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { 
    65                         kses_remove_filters(); // start with a clean slate 
    66                         kses_init_filters(); // set up the filters 
    67                 } 
     67                kses_remove_filters(); // start with a clean slate 
     68                kses_init_filters(); // set up the filters 
    6869        } 
    6970} else { 
    7071        if ( get_option('comment_registration') || 'private' == $status ) 
  • wp-includes/default-filters.php

     
    227227add_action( 'publish_post',               '_publish_post_hook',       5, 1 ); 
    228228add_action( 'save_post',                  '_save_post_hook',          5, 2 ); 
    229229add_action( 'transition_post_status',     '_transition_post_status',  5, 3 ); 
    230 add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        ); 
     230add_action( 'comment_form',               'wp_comment_form_nonce'          ); 
    231231add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            ); 
     232add_action( 'pre_comment_on_post',        'wp_comment_impersonation'       ); 
     233add_action( 'comment_impersonation',      'wp_comment_impersonation_email' ); 
    232234 
    233235// Navigation menu actions 
    234236add_action( 'trash_post',                 '_wp_trash_menu_item'            ); 
  • wp-includes/comment.php

     
    18361836                $client->query('weblogUpdates.ping', get_option('blogname'), $home); 
    18371837} 
    18381838 
     1839 
     1840/** 
     1841 * Hook for preventing comment impersonation of registered user by logged out 
     1842 * user. 
     1843 * 
     1844 * Impersonation of registered user by logged in user handled by 
     1845 * wp-comments-post.php 
     1846 * 
     1847 * CSRF protection for logged in users provided by wp_comment_form_nonce() 
     1848 * 
     1849 * @since 3.1 
     1850 * @uses do_action() Calls 'comment_impersonation' hook. 
     1851 */ 
     1852function wp_comment_impersonation() { 
     1853        global $current_user; 
     1854 
     1855        // It's a registered user.  Depend on: 
     1856        //   CSRF prevention in wp_comment_form_nonce() 
     1857        //   form submission overwrite in wp-comments-post.php 
     1858        if ( $current_user->ID ) 
     1859                return; 
     1860 
     1861        do_action( 'comment_impersonation' ); 
     1862} 
     1863 
     1864/** 
     1865 * Default comment impersonation prevention method. 
     1866 * 
     1867 * Attached to 'comment_impersonation' hook. 
     1868 * 
     1869 * @since 3.1 
     1870 * @uses wp_comment_impersonation_email_check() 
     1871 */ 
     1872function wp_comment_impersonation_email() { 
     1873        add_filter( 'pre_comment_author_email', 'wp_comment_impersonation_email_check', 100 ); 
     1874} 
     1875 
     1876/** 
     1877 * Checks email submitted by non-logged-in commenter to catch impersonation 
     1878 * attempts. 
     1879 * 
     1880 * Attached to 'pre_comment_author_email' hook by 
     1881 * wp_comment_impersonation_email() 
     1882 * 
     1883 * @since 3.1 
     1884 * 
     1885 * @param string $email Email address to check 
     1886 * @return string unchanged email or wp_die() 
     1887 */ 
     1888function wp_comment_impersonation_email_check( $email ) { 
     1889        if ( get_user_by_email( $email ) ) 
     1890                wp_die( __( 'Howdy, Mr. Abagnale.' ) ); 
     1891 
     1892        return $email; 
     1893} 
     1894 
    18391895// 
    18401896// Cache 
    18411897// 
  • wp-includes/comment-template.php

     
    770770} 
    771771 
    772772/** 
    773  * Displays form token for unfiltered comments. 
     773 * Displays form token for comments. 
    774774 * 
    775  * Will only display nonce token if the current user has permissions for 
    776  * unfiltered html. Won't display the token for other users. 
     775 * CSRF protection for comments from registered users.  Does not protect against 
     776 * "manual" impersonation. 
    777777 * 
    778  * The function was backported to 2.0.10 and was added to versions 2.1.3 and 
    779  * above. Does not exist in versions prior to 2.0.10 in the 2.0 branch and in 
    780  * the 2.1 branch, prior to 2.1.3. Technically added in 2.2.0. 
    781  * 
    782  * Backported to 2.0.10. 
    783  * 
    784778 * @since 2.1.3 
     779 * @since 2.0.10 
    785780 * @uses $post Gets the ID of the current post for the token 
    786781 */ 
    787 function wp_comment_form_unfiltered_html_nonce() { 
     782function wp_comment_form_nonce() { 
    788783        global $post; 
    789784 
    790785        $post_id = 0; 
    791786        if ( !empty($post) ) 
    792787                $post_id = $post->ID; 
    793788 
    794         if ( current_user_can('unfiltered_html') ) 
    795                 wp_nonce_field('unfiltered-html-comment_' . $post_id, '_wp_unfiltered_html_comment', false); 
     789        wp_nonce_field( "submit-comment_$post_id", '_wp_comment_nonce', false ); 
    796790} 
    797791 
    798792/** 
  • wp-admin/admin-ajax.php

     
    721721                $comment_author_email = $wpdb->escape($user->user_email); 
    722722                $comment_author_url   = $wpdb->escape($user->user_url); 
    723723                $comment_content      = trim($_POST['content']); 
     724                 
    724725                if ( current_user_can('unfiltered_html') ) { 
    725                         if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { 
    726                                 kses_remove_filters(); // start with a clean slate 
    727                                 kses_init_filters(); // set up the filters 
    728                         } 
     726                        kses_remove_filters(); // start with a clean slate 
     727                        kses_init_filters(); // set up the filters 
    729728                } 
    730729        } else { 
    731730                die( __('Sorry, you must be logged in to reply to a comment.') );