Opened 14 years ago
Closed 14 years ago
#13887 closed defect (bug) (fixed)
comment_whitelist checking in check_comment
Reported by: | avereha | Owned by: | |
---|---|---|---|
Milestone: | 3.0.2 | Priority: | high |
Severity: | normal | Version: | 2.9.2 |
Component: | Comments | Keywords: | has-patch |
Focuses: | Cc: |
Description
If you have the "comment_whitelist"(Comment author must have a previously approved comment) option activated in Wordpress 2.9.2, and someone post a trackback or pingback comment with Comment Author's domain "%", the comment is automaticaly approved.
I think the bug is in the wp-includes/comment.php file, check_comment function, this condition:
if ( $wpdb->get_var($wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_url LIKE (%s) LIMIT 1", '%'.$domain.'%'))...
if $domain == "%", the first condition is true, and the comment approved.
The URL is like this one: http://%/something.ru
Attachments (1)
Change History (11)
#4
@
14 years ago
I don't think escaping the '_' and '%' characters will solve the problem.
Supose you receive the "http://a/anything" url. If you have any link in blogroll containing the letter "a", the comment will be approved again.
#5
@
14 years ago
The result here is that any url's submitted must have a domain name which exists within your blogroll to exploit this loophole. It virtually results in the worst case being that pingbacks/trackbacks will bypass the checks IF their domain exists within a link, somewhere.
Currently, a url of 'http://something.com/' will pass as whitelisted if you have a site of 'http://google.com/results/something.com/page/2/'
With attached patch: (default blogroll, so wordpress.org exists within it.)
Before:
string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%localhost%') LIMIT 1' (length=72) boolean true string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%%%') LIMIT 1' (length=64) boolean true string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%abc%') LIMIT 1' (length=66) boolean false string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%wordpress.org%') LIMIT 1' (length=76) boolean true
After:
string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://localhost%') LIMIT 1' (length=78) boolean true string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://\\%%') LIMIT 1' (length=72) boolean false string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://abc%') LIMIT 1' (length=72) boolean false string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://wordpress.org%') LIMIT 1' (length=82) boolean true
Seems like a better idea to check the scheme/domain, not only will it prevent the domain existing -somewhere- in a link, but it'll also allow the DB to perform the search better i'd assume (thanks to the anchoring start, rather than an open-ender)
#6
@
14 years ago
- Keywords has-patch added
- Milestone changed from 3.0.1 to 3.1
Patch looks good. Moving to 3.1 though since this isn't a regression.
#7
@
14 years ago
We received some more information on this one. This can be used to sneak spam past moderation. And none of the solutions we looked at could solve the issue of someone using a Trackback URL of "http://wordpress.org/foobar123", and then putting spam (or just hateful/undesired content) into the body. We're just going to drop this feature entirely.
That code is to check to see whether the domain is in the blogroll, in which case we whitelist the ping. The % are MySQL placeholders for LIKE.