WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 11 years ago

Last modified 10 years ago

#7245 closed enhancement (fixed)

Keep certain interval to fetch mail message

Reported by: lilyfan Owned by: westi
Milestone: 2.9 Priority: normal
Severity: minor Version: 2.0
Component: Security Keywords: has-patch tested commit early
Focuses: Cc:

Description

wp-mail.php is exposed to run by third-party. If a malicious user loads wp-mail.php continuously, the sequential access to a mail server will occur.
To protect these attack, wp-mail.php needs to be invoked with certain intervals.

I propose a constatnt WP_MAIL_INTERVAL to define interval minutes, and a option value mailserver_last_checked to keep the datetime when WordPress checked the mail server.
You can stop using wp-mail.php if WP_MAIL_INTERVAL is set to zero (0).

Attachments (2)

wpmail.patch (717 bytes) - added by lilyfan 12 years ago.
Patch for wp-mail.php
7245.diff (676 bytes) - added by Denis-de-Bernardy 11 years ago.

Download all attachments as: .zip

Change History (17)

@lilyfan
12 years ago

Patch for wp-mail.php

#1 @lilyfan
12 years ago

  • Milestone changed from 2.9 to 2.7

#2 @matt
12 years ago

  • Milestone changed from 2.7 to 2.9

#3 @FFEMTcJ
11 years ago

  • Keywords has-patch added
  • Milestone changed from 2.9 to 2.8

#4 @Denis-de-Bernardy
11 years ago

  • Keywords tested added

On a separate note, shouldn't we check that the mail servers aren't the default ones set by WP? It's like... poor example.com.

Plus, if whoever owns it actually sets up an account with the relevant details, he'll be posting on quite a bit of blogs. :D

#5 @ryan
11 years ago

  • Keywords needs-patch added; has-patch tested removed

Where is mailserver_last_checked set? Regardless, it needs to use get_transient() and set_transient() rather than options.

#6 @janeforshort
11 years ago

  • Milestone changed from 2.8 to Future Release

Punting to be evaluated in next development cycle due to time constraints.

#7 @Denis-de-Bernardy
11 years ago

  • Keywords has-patch tested commit added; needs-patch removed
  • Milestone changed from Future Release to 2.8

new patch allows to disable post by email by defining the new constant to false.

#8 @Denis-de-Bernardy
11 years ago

  • Owner changed from anonymous to Denis-de-Bernardy
  • Status changed from new to accepted

#9 @westi
11 years ago

  • Keywords early added
  • Milestone changed from 2.8 to 2.9
  • Owner changed from Denis-de-Bernardy to westi

Patch looks good.

Would like to reduce the churn in 2.8 this close to release.

Marking for early 2.9 + backport to 2.8.1

#10 @Denis-de-Bernardy
11 years ago

still applies clean

#11 @westi
11 years ago

Current patch is a little broken.

Tidying up and will commit.

#12 @westi
11 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

(In [11782]) Limit wp-mail blog by email checks to every 5 minutes. Fixes #7245 based on patches from lilyfan and Denis-de-Bernardy.

#13 follow-up: @aaroncampbell
11 years ago

I think that set_transient's second argument is a time in seconds. I know you said 5 minutes, but you set it to 500 seconds which is 8.3 minutes. Not sure how much that matters, but I thought I'd point it out.

#14 in reply to: ↑ 13 @westi
11 years ago

Replying to aaroncampbell:

I think that set_transient's second argument is a time in seconds. I know you said 5 minutes, but you set it to 500 seconds which is 8.3 minutes. Not sure how much that matters, but I thought I'd point it out.

Oops. As you identified that was meant to be 300 not 500.. failed when I switched in the working value after testing with a really small number!

#15 @westi
11 years ago

(In [11786]) Set the interval to 5 minutes like I meant. See #7245 props aaroncampbell.

Note: See TracTickets for help on using tickets.