WordPress.org

Make WordPress Core

Opened 9 months ago

Closed 9 months ago

#38855 closed task (blessed) (fixed)

REST API: Turn off unauthed comment write by default

Reported by: helen Owned by: rmccue
Milestone: 4.7 Priority: high
Severity: major Version:
Component: REST API Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

Posting anonymous comments is a long-time feature of WordPress, but also one that is much maligned when it comes to spam and the tightly related issue of pingback DDoS-ing. Per my understanding, writing to the comments endpoint does not allow for anything except the default comment type and is subject to the existing flood protections for comment posting, but I think we should turn off unauthed write by default for the following reasons:

  • It does not currently present any significant benefit to have it on by default (open to arguments here, of course); however, given the nature of the internet, one can reasonably assume that spam bots will almost immediately adapt to this new availability.
  • Assuming that this becomes even a perceived attack vector, hosts will then block access, much like they often do for XML-RPC, rendering it uselessly on by default and an even more frustrating fix for users.
  • Spam and DDoS-ing attacks are some of the biggest perception problems we have as a project when it comes to core; it would be foolish to ship something that blithely repeats those same things because "that's how it currently works". We would been seen as idiots who don't care, and rightfully so IMO. This is of particular concern if the REST API is meant to be positioned to appeal to developers who have otherwise avoided WordPress.

No personal opinion on the filter and/or admin UI route. It is probably going to be kind of weird that you have one UI option to require users to be logged in to comment that doesn't apply to the REST API, as it's off by default. But in any case, this is the sort of thing that right now would be enabled by themes and plugins - we can always revisit in the future should third party experiences that involve unauthed commenting proliferate.

Original GitHub discussion: https://github.com/WP-API/WP-API/pull/693

Attachments (2)

38855.diff (1.8 KB) - added by rachelbaker 9 months ago.
New rest_allow_anonymous_comments filter
38855.2.diff (8.9 KB) - added by joehoyle 9 months ago.

Download all attachments as: .zip

Change History (13)

#1 @helen
9 months ago

Ah, also, while not necessarily a decisive reason to do this, it does help ease the mind that we won't have any unauthed write on by default in something so new that is about to get a lot more attention :)

#2 @danielbachhuber
9 months ago

I'm amenable to this. Your rationale makes sense to me.

This ticket was mentioned in Slack in #core-restapi by rachelbaker. View the logs.


9 months ago

#4 @joehoyle
9 months ago

I agree with this - though it's nice to have unauth'ed comment creation, at least at this point it seems pertinent to err on the side of caution. Themes that want to build comment experiences with the REST API can also use the PHP filter to change this if they wanted. It's more the widespread enabling that I think is likely to be a problem.

@rachelbaker
9 months ago

New rest_allow_anonymous_comments filter

#5 @rachelbaker
9 months ago

In 38855.diff I added a filter named rest_allow_anonymous_comments that defaults to false to enable opening the endpoint up to anyone/everyone.

The patch causes many of our unit tests to fail, so they will need to updated/adjusted as needed.

I wanted to get this up before I had to step away for baby pickup.

#6 @joehoyle
9 months ago

Looking good - maybe we should check !== true just to be a bit more safe, incase someone hooks into to use it as an, accidentally returning null

#7 @dd32
9 months ago

I'm personally for unauthed comment writes by default - however, I don't think it needs to be in the initial release while concerns around it still exist and not everyone is on the same page.

Having it available to be enabled by a filter allows themes to potentially use it if they wish, and should get the attention of anti-spam plugins to review if their plugins still operate as required via the endpoint.

@joehoyle
9 months ago

#8 @joehoyle
9 months ago

New patch with tests fixed to set a user where necessary, and override the filter for tests that only applied to tests for anonymous comments.

#9 @peterwilsoncc
9 months ago

  • Keywords has-patch has-unit-tests added

#10 @rmccue
9 months ago

  • Owner set to rmccue
  • Status changed from new to reviewing

#11 @rmccue
9 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 39327:

REST API: Disable anonymous commenting by default.

Adding a brand new anonymous comment method is a potential conduit for spam. Since it's still useful functionality, we're now hiding it behind a filter to allow plugins and themes to turn it on if they do want it.

Props helen, rachelbaker, joehoyle.
Fixes #38855.

Note: See TracTickets for help on using tickets.