Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#51044 closed defect (bug) (fixed)

preprocess_comment filter is mising some data (like user agent)

Reported by: zodiac1978's profile zodiac1978 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.6 Priority: normal
Severity: normal Version:
Component: Comments Keywords: has-patch
Focuses: Cc:

Description

In /wp-includes/comments.php there is a filter preprocess_comment

https://codex.wordpress.org/Plugin_API/Filter_Reference/preprocess_comment
https://developer.wordpress.org/reference/hooks/preprocess_comment/

The documentation says: "Filters a comment’s data before it is sanitized and inserted into the database."

But the $commentdata which is mentioned in the filter is not only sanitized afterwards, it is also filled with some data.

First the filter:
https://github.com/WordPress/WordPress/blob/c64297ce61aa9c81af3beb6027f4a4bbd8f5f757/wp-includes/comment.php#L2198

Then sanitation:
https://github.com/WordPress/WordPress/blob/c64297ce61aa9c81af3beb6027f4a4bbd8f5f757/wp-includes/comment.php#L2200-L2217

But then there are added some more information (like useragent, date, comment type):
https://github.com/WordPress/WordPress/blob/c64297ce61aa9c81af3beb6027f4a4bbd8f5f757/wp-includes/comment.php#L2219-L2222

Especially the user agent could be interesting for some antispam plugins and it is unexpected that this data is added *after* the filter to preprocess a comment.

Maybe related: #47447

Attachments (1)

51044.diff (1.4 KB) - added by SergeyBiryukov 4 years ago.

Download all attachments as: .zip

Change History (10)

#1 follow-up: @SergeyBiryukov
4 years ago

Good catch, it seems like the filter should be moved directly above the wp_filter_comment() call.

#2 @SergeyBiryukov
4 years ago

  • Keywords dev-feedback removed
  • Milestone changed from Awaiting Review to 5.6

#3 in reply to: ↑ 1 ; follow-up: @zodiac1978
4 years ago

Replying to SergeyBiryukov:

Good catch, it seems like the filter should be moved directly above the wp_filter_comment() call.

I do not think that's the correct way here, because the filter would change the behavior then.

The description of the filter is: "Filters a comment’s data *before* it is sanitized" (emphasize mine). if we move the filter before the wp_filter_comment() call it would be already sanitized.

But maybe we could move the additions before the filter call?

#4 in reply to: ↑ 3 @SergeyBiryukov
4 years ago

Replying to zodiac1978:

The description of the filter is: "Filters a comment’s data *before* it is sanitized" (emphasize mine). if we move the filter before the wp_filter_comment() call it would be already sanitized.

But maybe we could move the additions before the filter call?

I think I interpreted wp_filter_comment() as sanitization, as its description is "Filters and sanitizes comment data", and there are some filters in default-filters.php attached to its hooks. But yeah, there is also some other sanitization code.

It seems like at least comment_author_IP and comment_agent could be set before preprocess_comment.

@SergeyBiryukov
4 years ago

#5 @SergeyBiryukov
4 years ago

  • Keywords has-patch added; needs-patch removed
  • Owner set to SergeyBiryukov
  • Status changed from new to accepted

#6 @SergeyBiryukov
4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 48822:

Comments: Make sure the comment data passed to the preprocess_comment filter includes the comment_agent and comment_author_IP values.

Props zodiac1978, SergeyBiryukov.
Fixes #51044.

#7 @SergeyBiryukov
4 years ago

In 48823:

Comments: Revert unintended changes from [48822].

See #51044.

#8 @SergeyBiryukov
4 years ago

In 48830:

Tests: Update unit tests to account for comment_agent and comment_author_IP values being passed to the preprocess_comment filter.

See #51044.

#9 @SergeyBiryukov
4 years ago

In 48831:

Coding Standards: Fix WPCS issue in [48830].

See #51044.

Note: See TracTickets for help on using tickets.