WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 8 months ago

#10975 new enhancement

comment form nonce

Reported by: tellyworth Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Comments Keywords: has-patch
Focuses: Cc:

Description

This adds a nonce to public comment forms, via the comment_form action.

Attachments (2)

wp-comment-nonce.patch (1.4 KB) - added by tellyworth 4 years ago.
wp-comment-nonce-refresh.patch (1.3 KB) - added by tellyworth 3 years ago.
refreshed patch tested against trunk

Download all attachments as: .zip

Change History (18)

comment:1 scribu4 years ago

  • Type changed from defect (bug) to enhancement

Can non-logged-in users still comment?

comment:2 johnbillion4 years ago

  • Keywords dev-feedback added

I don't see what this solves. I assume it's attempting to prevent automated commenting by bots. The nonce will be identical for every non-logged in visitor so it'll be very easy for an automated comment bot to get this nonce and use it in its requests, and then we're back to square one.

Scribu: yes they can.

comment:3 filosofo4 years ago

An admin has greater posting privileges than a non-logged-in user, so there would be some advantage just in preventing XSS-commenting for only logged-in users.

And perhaps we could use the client's IP address in the nonce hash when generating it for non-logged-in users?

comment:4 tellyworth4 years ago

"I don't see what this solves. I assume it's attempting to prevent automated commenting by bots. The nonce will be identical for every non-logged in visitor so it'll be very easy for an automated comment bot to get this nonce and use it in its requests, and then we're back to square one."

It blocks several things:

  1. Dumb bots that just drive-by POST without fetching the page. These are still very common, so it will block a substantial amount of spam.
  1. XSS attacks that try to defeat spam filters by tricking real people into submitting an anonymous comment on another blog. Currently rare, but there's no reason to wait until it becomes common.
  1. Slightly less dumb bots that do a single fetch on a blog first, then submit many comments on multiple posts. This won't work with the patch applied because the nonce is unique to each post.

This is not intended to block all spam (that's the job of specialized plugins), just raise the bar a little by eliminating the simplest attacks.

filosofo, incorporating the client's IP address would block some legitimate comments. There is scope for hashing and checking additional info, but I think that's the job of spam filtering plugins, not core (that sort of stuff has to change frequently for it to be effective).

comment:5 scribu4 years ago

  • Milestone changed from Unassigned to 2.9

comment:6 ryan4 years ago

  • Milestone changed from 2.9 to 3.0

comment:7 scribu4 years ago

  • Keywords changed from has-patch, dev-feedback to has-patch dev-feedback

comment:8 westi4 years ago

Nice idea.

I don't think we should use normal nonces for this.

I think it is better that we have a different class of "nonce" for use on the frontend for non-logged in users.

We can then enforce the usage of the current nonces for logged in users only.

comment:9 nacin4 years ago

  • Keywords needs-patch added; has-patch dev-feedback removed

comment:10 Denis-de-Bernardy4 years ago

you can also use wp-hashcash...

in case anyone missed it, such a patch can have severe implications when it comes to caching.

comment:11 scribu4 years ago

  • Milestone changed from 3.0 to Future Release

Punting, pending more discussion.

comment:12 ryanhellyer4 years ago

I just came across this ticket now via a Google search (I need to do something similar for another project).

This seems like something far more suitable for a plugin as I don't see any way of getting around this when caching heavily.

comment:14 scribu4 years ago

Related: #13791

tellyworth3 years ago

refreshed patch tested against trunk

comment:15 avryl8 months ago

  • Component changed from General to Comments

comment:16 westonruter8 months ago

  • Keywords has-patch added; needs-patch removed
Note: See TracTickets for help on using tickets.