Prevent comment author impersonation
|Reported by:||mdawaffe||Owned by:|
Currently any logged out commenter can create a comment using a registered user's name and email address. Blog viewers can't tell the difference unless the theme styles the comments differently based on the comment's user_id. Even then, the user_id of a user without the unfiltered_html cap can by spoofed via CSRF.
Whether the comment was submitted by a logged in user is not displayed admin-side either.
To prevent impersonation, the attached:
- Extends CSRF protection to cover all logged in commenters, not just the unfiltered comment content of logged in commenters with the unfiltered_html cap.
- Fires a new comment_impersonation action during the pre_comment_on_post hook only for logged out users. Attaching it to pre_comment_on_post ensures the new hook does not get fired during imports.
- Adds an impersonation detector to that new hook to check pre_comment_author_email for email addresses of registered users.
- If impersonation is detected, wp_die()s.
Impersonation of registered users by logged in users is already prevented by wp-comments-post.php (it overwrites the email/name/url submitted by logged in users).
Impersonation of registered users by logged out users is caught by the attached.
Impersonation of unregistered users is fine: let Anonymous have its freedom.
"Impersonation" of registered users by CSRF is prevented by noncing the form for all logged in commenters.