Opened 18 years ago
Closed 18 years ago
#4533 closed defect (bug) (fixed)
"Mark as spam" agrees to do its work even on inappropriate comment ID
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 2.3 | Priority: | normal |
| Severity: | normal | Version: | 2.2.1 |
| Component: | Administration | Keywords: | has-patch |
| Focuses: | Cc: |
Description
When spam gets through Akismet, I end up clicking the "Spam It" link from the email notice. Sometimes I forget that I've spammed it, or I'm not sure, so I click it again later, after the comment is already gone.
In this case, WordPress is frighteningly agreeable about marking as spam a comment ID that no longer exists. For instance, supply any other WordPress root URL in this template:
http://www.red-sweater.com/blog/wp-admin/comment.php?action=cdc&dt=spam&c=99999999999
(assuming all those 9's are a high enough comment ID to be "non-existant")
WordPress presents a panel offering to mark the comment as spam, but all the fields are blank (screenshot attached).
It's frightening to have WordPress agree to such a thing, when the comment doesn't exist. While the result of saying "Yes" is probably safe, it makes me wonder whether the defect could lead to an unexpectedly harmful SQL query.
WordPress should detect the non-existence of the comment ID and present an appropriate "no such comment" panel instead.
Attachments (2)
Change History (6)
#1
@
18 years ago
- Milestone set to 2.2.2
This should be checked by the call to get_comment_to_edit here: http://trac.wordpress.org/browser/trunk/wp-admin/comment.php#L42
And if no comment exists then a warning displayed.
However get_comment_to_edit (wp-admin/includes/comment.php in trunk) is broken.
Change the code like this:
function get_comment_to_edit( $id ) {
if (!$comment = get_comment( $id ))
{
return false;
}
...
}
Screen shot of blank agreement to mark comment as spam.