WordPress.org

Make WordPress Core


Ignore:
Timestamp:
11/18/2016 09:12:03 PM (3 years ago)
Author:
rachelbaker
Message:

REST API: On Comment create, limit the ability to set the author_ip value directly.

Users without the moderate_comments capability can no longer set the author_ip property directly, and instead receive a WP_Error if they attempt to do so. Otherwise, the author_ip property is populated from $_SERVER['REMOTE_ADDR'] if present and a valid IP value. Finally, fallback to 127.0.0.1 as a last resort.

Props dd32, rachelbaker, joehoyle.
Fixes #38819.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39298 r39302  
    372372        }
    373373
    374         // Limit who can set comment `author` or `status` to anything other than the default.
     374        // Limit who can set comment `author`, `author_ip` or `status` to anything other than the default.
    375375        if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) {
    376376            /* translators: %s: request parameter */
    377377            return new WP_Error( 'rest_comment_invalid_author', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'author' ), array( 'status' => rest_authorization_required_code() ) );
     378        }
     379
     380        if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) {
     381            if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) {
     382                return new WP_Error( 'rest_comment_invalid_author_ip', __( 'Sorry, you are not allowed to set author_ip for comments.' ), array( 'status' => rest_authorization_required_code() ) );
     383            }
    378384        }
    379385
     
    10421048        }
    10431049
    1044         if ( isset( $request['author_ip'] ) ) {
     1050        if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) {
    10451051            $prepared_comment['comment_author_IP'] = $request['author_ip'];
     1052        } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) {
     1053            $prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR'];
     1054        } else {
     1055            $prepared_comment['comment_author_IP'] = '127.0.0.1';
    10461056        }
    10471057
     
    11201130                    'format'       => 'ip',
    11211131                    'context'      => array( 'edit' ),
    1122                     'default'      => '127.0.0.1',
    11231132                ),
    11241133                'author_name'     => array(
Note: See TracChangeset for help on using the changeset viewer.