Make WordPress Core

Opened 10 years ago

Closed 8 years ago

#27471 closed defect (bug) (fixed)

wp.newComment allows to post new comments even if they are closed or not supported

Reported by: xknown's profile xknown Owned by: wonderboymusic's profile wonderboymusic
Milestone: 4.4 Priority: normal
Severity: normal Version: 3.8.1
Component: XML-RPC Keywords: has-patch
Focuses: Cc:


wp_xmlrpc_server::wp_newComment() doesn't check if comments are allowed/supported or not on a given post type.

faineant:wp alex$ curl -s -c /tmp/atoq.cookie -d 'log=test&pwd=1234' 'http://atoq/wp/wp-login.php' | curl -b /tmp/atoq.cookie -sd 'comment_post_ID=1&author=test&' "http://atoq/wp/wp-comments-post.php" | grep Sorry
	<p>Sorry, comments are closed for this item.</p></body>

faineant:wp alex$ cat test.xml 
	<param><value>Test comment</value></param>

faineant:wp alex$ curl --data @test.xml "http://atoq/wp/xmlrpc.php"
<?xml version="1.0" encoding="UTF-8"?>

Attachments (2)

27471.diff (538 bytes) - added by jesin 10 years ago.
Stop commenting via XML-RPC if comments are closed
27471.2.diff (2.3 KB) - added by wonderboymusic 8 years ago.

Download all attachments as: .zip

Change History (8)

10 years ago

Stop commenting via XML-RPC if comments are closed

#1 follow-up: @jesin
10 years ago

This patch should do the trick, please give it a try.

Not only wp_xmlrpc_server::wp_newComment() but neither wp_new_comment() nor wp_insert_comment() check if comments are allowed on a post before going ahead.

This issue exists even on the current version, haven't checked the previous ones.

#2 @jesin
10 years ago

  • Keywords has-patch added

#3 in reply to: ↑ 1 @jeremyfelt
10 years ago

  • Keywords reporter-feedback added
  • Version changed from trunk to 3.8.1

The correct workflow may be to retrieve details about the post first, including comment_status, via wp.getPost and then make the call with a comment if comments are open. Anonymous comments are disabled by default in wp.newComment. I think having the XMLRPC call match the current behavior in wp_new_comment() is expected.

#4 @markoheijnen
9 years ago

I can see why there are no checks in the APIs of WordPress because you can also have custom comment types that would ignore if comments are allowed like status update of your order inside a e-commerce plugin.

Unsure about wp.newComment tho, since that one is only for comments but I can agree with jeremyfelt to have it match the current behavior of wp_new_comment()

#5 @wonderboymusic
8 years ago

  • Keywords reporter-feedback removed
  • Milestone changed from Awaiting Review to 4.4
  • Owner set to wonderboymusic
  • Status changed from new to assigned

27471.2.diff adds a unit test

#6 @wonderboymusic
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34559:

XML-RPC: Introduce the concept of unit testing to wp_xmlrpc_server::wp_newComment():

  • Don't allow comments to be created for posts that have comment_status set to 'closed'
  • Set some magic props on WP_User to vars before passing them to wp_xmlrpc_server::escape()

Props wonderboymusic, jesin.
Fixes #27471.

Note: See TracTickets for help on using tickets.