Make WordPress Core

Opened 14 years ago

Closed 14 years ago

#13887 closed defect (bug) (fixed)

comment_whitelist checking in check_comment

Reported by: avereha's profile avereha Owned by:
Milestone: 3.0.2 Priority: high
Severity: normal Version: 2.9.2
Component: Comments Keywords: has-patch
Focuses: Cc:

Description

If you have the "comment_whitelist"(Comment author must have a previously approved comment) option activated in Wordpress 2.9.2, and someone post a trackback or pingback comment with Comment Author's domain "%", the comment is automaticaly approved.

I think the bug is in the wp-includes/comment.php file, check_comment function, this condition:

if ( $wpdb->get_var($wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_url LIKE (%s) LIMIT 1", '%'.$domain.'%'))...

if $domain == "%", the first condition is true, and the comment approved.

The URL is like this one: http://%/something.ru

Attachments (1)

13887.diff (909 bytes) - added by dd32 14 years ago.

Download all attachments as: .zip

Change History (11)

#1 @GautamGupta
14 years ago

  • Milestone changed from Unassigned to 3.0.1
  • Priority changed from normal to high

#2 @nacin
14 years ago

That code is to check to see whether the domain is in the blogroll, in which case we whitelist the ping. The % are MySQL placeholders for LIKE.

#3 @nacin
14 years ago

like_escape(), I suppose...

#4 @avereha
14 years ago

I don't think escaping the '_' and '%' characters will solve the problem.
Supose you receive the "http://a/anything" url. If you have any link in blogroll containing the letter "a", the comment will be approved again.

#5 @dd32
14 years ago

The result here is that any url's submitted must have a domain name which exists within your blogroll to exploit this loophole. It virtually results in the worst case being that pingbacks/trackbacks will bypass the checks IF their domain exists within a link, somewhere.

Currently, a url of 'http://something.com/' will pass as whitelisted if you have a site of 'http://google.com/results/something.com/page/2/'

With attached patch: (default blogroll, so wordpress.org exists within it.)

Before:

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%localhost%') LIMIT 1' (length=72)
boolean true

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%%%') LIMIT 1' (length=64)
boolean true

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%abc%') LIMIT 1' (length=66)
boolean false

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%wordpress.org%') LIMIT 1' (length=76)
boolean true

After:

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://localhost%') LIMIT 1' (length=78)
boolean true

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://\\%%') LIMIT 1' (length=72)
boolean false

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://abc%') LIMIT 1' (length=72)
boolean false

string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://wordpress.org%') LIMIT 1' (length=82)
boolean true

Seems like a better idea to check the scheme/domain, not only will it prevent the domain existing -somewhere- in a link, but it'll also allow the DB to perform the search better i'd assume (thanks to the anchoring start, rather than an open-ender)

@dd32
14 years ago

#6 @nacin
14 years ago

  • Keywords has-patch added
  • Milestone changed from 3.0.1 to 3.1

Patch looks good. Moving to 3.1 though since this isn't a regression.

#7 @markjaquith
14 years ago

We received some more information on this one. This can be used to sneak spam past moderation. And none of the solutions we looked at could solve the issue of someone using a Trackback URL of "http://wordpress.org/foobar123", and then putting spam (or just hateful/undesired content) into the body. We're just going to drop this feature entirely.

#8 @markjaquith
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16637]) Drop pingback/trackback blogroll whitelisting feature. Too many ways to abuse it. props avereha. props vladimir_kolesnikov. fixes #13887 for trunk

#9 @markjaquith
14 years ago

  • Milestone changed from 3.1 to 3.0.2
  • Resolution fixed deleted
  • Status changed from closed to reopened

Re-open for 3.0.2

#10 @markjaquith
14 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [16638]) Drop pingback/trackback blogroll whitelisting feature. Too many ways to abuse it. props avereha. props vladimir_kolesnikov. fixes #13887 for 3.0.x

Note: See TracTickets for help on using tickets.