Make WordPress Core

Opened 16 years ago

Closed 16 years ago

Last modified 15 years ago

#2931 closed defect (bug) (fixed)

User-Agent Used When Requesting /wp-admin/execute-pings.php?time= Should not be Blank

Reported by: macmanx's profile macmanx Owned by:
Milestone: Priority: high
Severity: major Version: 2.0.3
Component: Security Keywords: bg|has-patch bg|commit
Focuses: Cc:

Description

Currently, WordPress (v2.0.3) seems to use a blank user-agent when requesting /wp-admin/execute-pings.php?time=<number>. This is a common technique used by spammers to avoid spam filters. Without a user-agent, requests for files such as this (even if they come from one's own server) can seem very suspicious to the average log-reading user. Similar to the previously reported (and fixed) bug #1713, WordPress should not be employing the use of common spam techniques, and should identify itself with a WordPress user-agent whenever possible.

Attachments (1)

functions.diff (799 bytes) - added by error 16 years ago.
wp-includes/functions.php send user agent on execute-pings

Download all attachments as: .zip

Change History (7)

#1 @error
16 years ago

  • Component changed from Administration to Security
  • Keywords bg|has-patch added; execute-pings.php user-agent removed

I've put in a patch which looks like it fixes the issue.

#2 @darkfate
16 years ago

  • Keywords bg|has-patch|commit added; bg|has-patch removed

@error
16 years ago

wp-includes/functions.php send user agent on execute-pings

#3 @macmanx
16 years ago

Thanks for the patch, Error! As far as this specific bug is concerned, it worked perfectly with apparently no adverse effects. As expected, /wp-admin/execute-pings.php?time= was requested with a "WordPress/2.0.3" user-agent.

However, at exactly the same time, something from my server sent a GET request for the test post's URL with no user-agent. Since there was no user-agent present, and since it was only requesting the post's URL, I can't tell if it was WordPress or something else.

This bug really shouldn't be limited to /wp-admin/execute-pings.php?time=, and I apologize for titling it as such. WordPress should always identify itself with a "WordPress/<version>" user-agent whenever possible.

#4 @error
16 years ago

  • Keywords bg|has-patch bg|commit added; bg|has-patch|commit removed

Well, yes, I agree that it should. Unfortunately, WP is still quite full of duplicate code, and more seems to get added all the time. Oh well. Topic for another bug, maybe?

#5 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4048]) Don't use blank user agent when pinging. Props error. fixes #2931

#6 @(none)
15 years ago

  • Milestone 2.0.4 deleted

Milestone 2.0.4 deleted

Note: See TracTickets for help on using tickets.