Make WordPress Core

Opened 6 months ago

Last modified 10 days ago

#57979 new defect (bug)

Can't upload images to WordPress Comments

Reported by: sbb's profile sbb Owned by:
Milestone: 6.4 Priority: normal
Severity: normal Version: 6.0.3
Component: Comments Keywords: has-patch 2nd-opinion dev-feedback needs-testing
Focuses: administration Cc:

Description

As the admin, I am unable to upload images from my image library to a WordPress comment posted by a user. Please Note: I can upload images to my own comments, but not a user-generated comment. On the admin page, I edit a user comment, click IMG button, add the image URL, and the correct code is added to the comment. When I click UPDATE, the image code disappears. Please note that all existing images in Comments display properly. This is a new problem. Theme is Genesis Magazine Pro. I tried: deactivating all plugins, multiple browsers, multiple operating systems (PC and Mac), and multiple computers. Also contacted my web host, WP-Engine, who has had other reports of this problem and believes it is a WordPress issue. Site is buildingadvisor.com. Thank you!

Attachments (3)

57979.diff (553 bytes) - added by khokansardar 6 months ago.
Capture d’écran 2023-04-20 à 11.48.02.png (103.9 KB) - added by lphoumpakka 5 months ago.
Result after testing the patch 57979.diff
57979.1.diff (576 bytes) - added by khokansardar 4 weeks ago.

Download all attachments as: .zip

Change History (17)

#1 @azaozz
6 months ago

  • Milestone changed from Awaiting Review to 6.3
  • Version changed from 6.1.1 to 6.0.3

@sbb Welcome to Trac and thanks for the bug report.

Seems this is a regression introduced in [54527]. Comments edited by users with unfiltered_html (admins or editors) should not be run through KSES.

Looking at the changeset, it checks if the comment author has unfiltered_html, but doesn't check cases where an admin may be editing the comment. This prevents admins and editors from using their capabilities there.

Last edited 6 months ago by azaozz (previous) (diff)

#2 @sbb
6 months ago

Thanks. So does that make this a feature or a bug that should be fixed? In the meantime, can you suggest a workaround so the admin can add images to user-posted Comments? Many thanks, Steve

This ticket was mentioned in PR #4265 on WordPress/wordpress-develop by @khokansardar.


6 months ago
#3

  • Keywords has-patch added

Trac ticket: 57979

@khokansardar
6 months ago

#4 @khokansardar
6 months ago

@azaozz I have added a patch by adding

current_user_can( 'unfiltered_html' )

Please have a look.

Last edited 6 months ago by khokansardar (previous) (diff)

#5 follow-up: @sbb
6 months ago

Hello and many thanks for the patches. I have tried adding the patch in 57979.diff and also the latest patch as "Additional CSS" in the WordPress theme customizer. However, it did not solve the problem. Still unable to load images to Comments posted by users. Any other suggestions? Should the patch be added to functions.php instead. Sorry, but I am not a programmer...

#6 in reply to: ↑ 5 @khokansardar
6 months ago

Replying to sbb:

Hello and many thanks for the patches. I have tried adding the patch in 57979.diff and also the latest patch as "Additional CSS" in the WordPress theme customizer. However, it did not solve the problem. Still unable to load images to Comments posted by users. Any other suggestions? Should the patch be added to functions.php instead. Sorry, but I am not a programmer...

This is not the process to apply the patches. All these are core tickets, so you have to apply respective patch to respective files. For this one you have to change the line of this file path -

/wp-includes/comment.php src/wp-includes/comment.php

as mentioned in .diff file of this ticket and then you can do the check.

#7 @lphoumpakka
5 months ago

Test Report

This report validates that the indicated patch addresses the issue.

Patch tested: https://core.trac.wordpress.org/attachment/ticket/57979/57979.diff

Environment

  • OS: macOS 13.2.1
  • Web Server: Nginx
  • PHP: 7.4.27
  • WordPress: 6.3-alpha-55505-src
  • Browser: Chrome 112.0.5615.137
  • Theme: twentytwentythree
  • Active Plugins:

Actual Results

  • ✅ Issue resolved with patch. A administrator can upload image in another user's comment.

@lphoumpakka
5 months ago

Result after testing the patch 57979.diff

#8 @azaozz
5 months ago

  • Keywords 2nd-opinion added

Not sure if that's the best patch here. This was a security fix, need to make sure the initial bug is not reintroduced.

Last edited 5 months ago by azaozz (previous) (diff)

#9 @oglekler
3 months ago

  • Milestone changed from 6.3 to 6.4

Because there are doubts about security and tickets had no activities in 2 months, I am moving this into the 6.4 milestone.

This ticket was mentioned in Slack in #core by oglekler. View the logs.


5 weeks ago

#11 @oglekler
5 weeks ago

  • Keywords dev-feedback added

This ticket was discussed during a bug scrub, and it looks like the patch is solving the issue, but this restriction with checking user ID with commenter user ID was also there for a reason, so, let's have dev feedback about this.

Add props to @mukesh27

#12 @audrasjb
5 weeks ago

  • Keywords changes-requested added

Hello and thanks for the patch.

The proposed patch probably reintroduces the security issue fixed in [54527]. It would be better to add a conditional to check whether the user is an admin or not.

@khokansardar
4 weeks ago

#13 @khokansardar
4 weeks ago

  • Keywords needs-testing added; changes-requested removed

@audrasjb I have updated the patch here - 57979.1.diff please check.

#14 @devmuhib
10 days ago

Test Report

Tested the latest patch 57979.1.diff​ and it solves the issue. When I first tried, I could not add any image in user comments. After applying the patch, I added the image in user's comment.

Patch tested: https://core.trac.wordpress.org/attachment/ticket/57979/57979.1.diff

Environment

OS: Window 10
Web Server: nginx/1.25.2
PHP: 7.4.33
WordPress: 6.4-alpha-56267-src
Browser: Google Chrome
Theme: Twenty-Twenty-Three

Actual Results

  • ✅ Issue resolved with patch.

Supplemental Artifacts

Screenshot: https://i.imgur.com/Q8AbKVe.png

Note: See TracTickets for help on using tickets.