WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#18319 closed defect (bug) (fixed)

inline reply removes images

Reported by: hebbet Owned by: azaozz
Milestone: 3.3 Priority: normal
Severity: normal Version: 3.2.1
Component: Comments Keywords: has-patch
Focuses: Cc:

Description

repro: reply to a comment through comments list in admin. add an images to it. click on submit

what happens: Image isn't saved in the comment

Attachments (1)

18319.diff (1.7 KB) - added by nacin 7 years ago.

Download all attachments as: .zip

Change History (8)

#1 @SergeyBiryukov
7 years ago

  • Keywords needs-patch dev-feedback added

wp_comment_form_unfiltered_html_nonce() creates a nonce based on the post ID of the last comment in the list instead of a current comment, so the nonce check in admin-ajax.php is not satisfied:

if ( current_user_can('unfiltered_html') ) {
	if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
		kses_remove_filters(); // start with a clean slate
		kses_init_filters(); // set up the filters
	}
}

What is the proper way to fix this?

#3 @SergeyBiryukov
7 years ago

  • Milestone changed from Awaiting Review to 3.3

#4 @nacin
7 years ago

In the admin, we might be able to change the nonce to a generic one for the screen. Other option is an individual wp_nonce_field() for every comment.

#5 @SergeyBiryukov
7 years ago

That check was copied from wp-comments-post.php in [8720], however in admin-ajax.php we already have check_ajax_referer():

http://core.trac.wordpress.org/browser/tags/3.2.1/wp-admin/admin-ajax.php#L628

Isn't that enough to prevent possible XSRF described in #3973?

@nacin
7 years ago

#6 @nacin
7 years ago

  • Keywords has-patch added; needs-patch dev-feedback removed

Patch attached.

Yes, it would protect against CSRF. Ideally we're object-specific with our nonces where possible, but in this case, we can't do that efficiently, so this will work fine.

Approved by westi and ryan.

#7 @azaozz
7 years ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In [18852]:

Fix unfiltered_html_comment nonce, props nacin, fixes #18319

Note: See TracTickets for help on using tickets.