WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#11938 closed defect (bug) (wontfix)

Akismet doesn't take the HTTP_X_FORWARDED_HOST into account, sees all comments as spam

Reported by: husky Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9.1
Component: General Keywords: close has-patch
Focuses: Cc:

Description

On some installations, requests are forwarded to separate 'PHP workers' and the original REMOTE_ADDR key in the $_SERVER superglobal might be changed to the forwarders IP instead of the original commenter. This means that all requests have the same REMOTE_ADDR when send to the Akismet servers and therefore are all seen as spam.

The forwarding servers add an extra header to the HTTP request called 'HTTP_X_FORWARDED_HOST' that contains the original IP.

I've attached a patch that uses this address if it's available, else it does take the normal 'REMOTE_ADDR' key into account.

Attachments (1)

patch.txt (1.0 KB) - added by husky 5 years ago.

Download all attachments as: .zip

Change History (5)

@husky5 years ago

comment:1 @scribu5 years ago

  • Keywords close has-patch added
  • Milestone changed from 2.9.2 to Unassigned

This should be reported on the Akismet site.

comment:2 @Denis-de-Bernardy5 years ago

  • Milestone Unassigned deleted
  • Resolution set to wontfix
  • Status changed from new to closed

comment:3 @hakre5 years ago

Shouldn't this be closed as duplicate?

comment:4 @miqrogroove5 years ago

wontfix is fine. I'd go so far as to say invalid because HTTP requests are not usable in the manner suggested by OP. You'd have a CVE slapped on WordPress trunk faster than you can finish beta testing.

Note: See TracTickets for help on using tickets.