WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#36766 new enhancement

Improve Source Verification in Pingbacks and Add Filter

Reported by: dshanske Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Pings/Trackbacks Keywords: has-patch
Focuses: Cc:

Description

Like the do_pings code, the source verification should make a HEAD request to the site, retrieving the content type and rejecting images, video, or audio from being downloaded at all, removing a possible attack vector. The content-type check, which is not currently done by the code, is in the specification. "It then requests the content of http://alice.example.org/#p123 and checks the Content-Type of the entity returned to make sure it is text of some sort."

For display purposes, the content-type should also be passed into the $commentdata for use in preprocessing.

The current code goes through the remote source replacing possible links to content to generate an except. However, while the specification only notes retrieving an 'extract of the page content surrounding the link' as an example of content that might be retrieved, and says nothing about display and most people agree the [...] excerpt display isn't exactly attractive.

The code should verify the source on a plaintext level before anything else and fail immediately, then pass the result of that, along with the source and the retrieved content-type to a filter for more complicated checks if needed. For example, checking to see if it is in proper HTML format(link in a href or some other proper link type).

We treat pingbacks as a comment type, but pingbacks are generated based on the source provided.

Related: #34419

Attachments (1)

36766.diff (2.7 KB) - added by dshanske 2 years ago.

Download all attachments as: .zip

Change History (3)

@dshanske
2 years ago

#1 @ocean90
2 years ago

  • Keywords has-patch added

This ticket was mentioned in Slack in #core-comments by dshanske. View the logs.


2 years ago

Note: See TracTickets for help on using tickets.