WordPress.org
Get WordPress

Make WordPress Core

Opened 9 years ago

Last modified 5 months ago

#40319 new defect (bug)

Apostrophe in commenter's name prevents comment_whitelist setting from working.

Reported by: cfinke's profile cfinke Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.0
Component: Comments Keywords: has-patch changes-requested has-test-info needs-unit-tests
Focuses: Cc:

Description

If a commenter has an apostrophe in their name, and they have a previously approved comment, and the comment_whitelist setting is enabled ("Comment author must have a previously approved comment"), the commenter's comment will always end up in moderation.

The cause of this can be traced to r38738. If the name has an apostrophe, it will be slashed; the author name was previously included directly in the SQL, with the slash properly escaping the apostrophe, but when the query was updated to use prepare(), the author name was not unslashed.

Affects 4.7, 4.7.1, 4.7.2, 4.7.3, and trunk.

I've attached a patch that addresses the issue by unslashing the two expected_slashed parameters.

Attachments (2)

40319.diff (1008 bytes) - added by cfinke 9 years ago.
40319.patch (1.8 KB) - added by andrinheusser 8 years ago.
Test for #40319

Download all attachments as: .zip

Change History (5)

@cfinke
9 years ago

#1 @johnbillion
9 years ago

  • Keywords has-patch needs-testing needs-unit-tests added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from trunk to 4.0

Thanks for the patch! This will need some unit tests to verify it's working as intended.

@andrinheusser
8 years ago

Test for #40319

#2 @sorenbronsted
6 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed

#3 @SirLouen
5 months ago

  • Keywords changes-requested has-test-info needs-unit-tests added; needs-testing has-unit-tests removed

Bug Reproduction and Patch Test Report

Description

🟠 This report validates that the indicated bug is reproducible but patch has many flaws

Patch tested:
https://core.trac.wordpress.org/attachment/ticket/40319/40319.diff
https://core.trac.wordpress.org/attachment/ticket/40319/40319.patch

Environment

  • WordPress: 6.9-alpha-60093-src
  • PHP: 8.2.28
  • Server: nginx/1.27.5
  • Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
  • Browser: Chrome 137.0.0.0
  • OS: Windows 10/11
  • Theme: Twenty Twenty 2.9
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Bug Reproduction Instructions

  1. Settings > Discussion > Activate Before a comment appears > Comment author must have a previously approved comment
  2. Add a comment with a user with an apostrophe. Let's say "Jeanne d'Arc"
  3. Add a comment with a regular username. Example "King Charles"
  4. Go to comments with the admin account and approve both comments
  5. Add a second comment with both users user
  6. Comment from King Charles go through
  7. 🐞 Comment from Jeanne d'Arc is automatically approved

Additional Notes

  • After applying both patches and testing the unit tests, I can see that they are not working as expected.
  1. First, I'm not 100% convinced about the patch. Looking at the proposed changes, it appears that the sanitization should have been done way earlier, it doesn't make sense to do it so far in the process to me. Maybe there is an explanation, I would like to hear further from anyone involved in this patch.
  1. The Unit Test is much more complex. The unit tests provided are always passing, they are not adequately covering this problem, so they are essentially useless.

Supplemental Artifacts

https://i.imgur.com/zYrlbIF.png

Note: See TracTickets for help on using tickets.