WordPress.org

Make WordPress Core

Opened 7 years ago

Last modified 3 years ago

#5130 new defect (bug)

Linking to multiple posts on your site breaks pingback due to comment flooding

Reported by: Denis-de-Bernardy Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 2.3
Component: Pings/Trackbacks Keywords: needs-patch
Focuses: Cc:

Change History (12)

comment:1 Otto427 years ago

  • Milestone changed from 2.5 to 2.4
  • Summary changed from pingPreserver to Linking to multiple posts on your own site breaks pingback due to comment flooding
  • Version set to 2.3

Useful, sure. But not particularly safe. The method he's using basically just opens up the ability for a comment flood through the xmlrpc pingback door.

A better approach would be to detect self-pings and perform them in a more direct manner, instead of through an http connection to xmlrpc. Preferably through an action of some kind, so self-pings can easily be disabled.

comment:2 foolswisdom7 years ago

  • Milestone changed from 2.4 to 2.5

Leaving as MS 2.5 until patch provided or developer takes ownership of the ticket.

comment:3 scottsm6 years ago

I'm the writer of the plugin. Sorry about the late comment, I never realized this made it up here until I was looking around today.

Anyway, I was worried about the possibility of a comment flood through the xmlrpc but since I haven't yet [knock on wood] ran into a comment flood but have been (slightly) annoyed with missing pings I figured I'd give this way a try. Detecting self-pings would be good but it seems like it would also be good to catch legitimate multiple pings from other blogs so I guess that wouldn't work.

So I guess that means fixing this would require some method similar to the plugin. It is worth mentioning that the plugin is only letting 5 pings through in 15 seconds compared to the default 1. What if the limit on pings was no more than 5 in say 75 seconds? That would offer the same protection as the current comment_flood_filter but still allow multiple pings.

This could be done easily by adding:

if (($time_newcomment - $time_lastcomment) < 15 ){
  if(strpos($_SERVER['PHP_SELF'],"xmlrpc.php")!==false){
    $pings=$wpdb->get_var("SELECT COUNT(comment_date_gmt) FROM $wpdb->comments 
            WHERE comment_author_IP = '".$_SERVER['REMOTE_ADDR']."' AND
            TIME_TO_SEC(TIMEDIFF(now(),comment_date_gmt)) < 75");
    if($pings>5) return true;
  } else return true;
}

to function wp_throttle_comment_flood in comment.php.

comment:4 scottsm6 years ago

Oh and the title "Linking to multiple posts on your own site breaks pingback due to comment flooding" doesn't cover the whole problem. An outside site linking to multiple posts on your own site also breaks pingback due to comment flooding. I've seen a decent number of times in my limited blogging experience where people have linked to more than one of my posts yet only one ping has shown up. I really like how pings improve the interconnectedness of blogging but the comment flood protection is getting in the way (unnecessarily?).

comment:5 scottsm6 years ago

  • Cc scottsm added

comment:6 scottsm6 years ago

  • Summary changed from Linking to multiple posts on your own site breaks pingback due to comment flooding to Linking to multiple posts on your site breaks pingback due to comment flooding

comment:7 sardisson5 years ago

  • Cc sardisson added

comment:8 Denis-de-Bernardy5 years ago

  • Component changed from General to Pings/Trackbacks
  • Owner anonymous deleted

@scott: is this still current?

comment:9 scottsm5 years ago

I still see the code:

function wp_throttle_comment_flood($block, $time_lastcomment, $time_newcomment) {
   if ( $block ) // a plugin has already blocked... we'll let that decision stand
      return $block;
   if ( ($time_newcomment - $time_lastcomment) < 15 )
      return true;
   return false;
}

in WP 2.7.1 without any checks for pings so I guess it should still be a problem. I'll check when I get home today.

comment:10 Denis-de-Bernardy5 years ago

  • Keywords needs-patch added

oh, ok. seeing it in trunk too.

comment:11 janeforshort4 years ago

  • Milestone changed from 2.9 to Future Release

Punting due to time and lack of traction during 2.9 dev cycle.

comment:12 dd323 years ago

Closed #15676 and #14362 as duplicate of this

Note: See TracTickets for help on using tickets.