#7245 closed enhancement (fixed)
Keep certain interval to fetch mail message
Reported by: | lilyfan | Owned by: | westi |
---|---|---|---|
Milestone: | 2.9 | Priority: | normal |
Severity: | minor | Version: | 2.0 |
Component: | Security | Keywords: | has-patch tested commit early |
Focuses: | Cc: |
Description
wp-mail.php is exposed to run by third-party. If a malicious user loads wp-mail.php continuously, the sequential access to a mail server will occur.
To protect these attack, wp-mail.php needs to be invoked with certain intervals.
I propose a constatnt WP_MAIL_INTERVAL to define interval minutes, and a option value mailserver_last_checked to keep the datetime when WordPress checked the mail server.
You can stop using wp-mail.php if WP_MAIL_INTERVAL is set to zero (0).
Attachments (2)
Change History (17)
#4
@
16 years ago
- Keywords tested added
On a separate note, shouldn't we check that the mail servers aren't the default ones set by WP? It's like... poor example.com.
Plus, if whoever owns it actually sets up an account with the relevant details, he'll be posting on quite a bit of blogs. :D
#5
@
16 years ago
- Keywords needs-patch added; has-patch tested removed
Where is mailserver_last_checked set? Regardless, it needs to use get_transient() and set_transient() rather than options.
#6
@
16 years ago
- Milestone changed from 2.8 to Future Release
Punting to be evaluated in next development cycle due to time constraints.
#7
@
16 years ago
- Keywords has-patch tested commit added; needs-patch removed
- Milestone changed from Future Release to 2.8
new patch allows to disable post by email by defining the new constant to false.
#8
@
15 years ago
- Owner changed from anonymous to Denis-de-Bernardy
- Status changed from new to accepted
#9
@
15 years ago
- Keywords early added
- Milestone changed from 2.8 to 2.9
- Owner changed from Denis-de-Bernardy to westi
Patch looks good.
Would like to reduce the churn in 2.8 this close to release.
Marking for early 2.9 + backport to 2.8.1
#13
follow-up:
↓ 14
@
15 years ago
I think that set_transient's second argument is a time in seconds. I know you said 5 minutes, but you set it to 500 seconds which is 8.3 minutes. Not sure how much that matters, but I thought I'd point it out.
#14
in reply to:
↑ 13
@
15 years ago
Replying to aaroncampbell:
I think that set_transient's second argument is a time in seconds. I know you said 5 minutes, but you set it to 500 seconds which is 8.3 minutes. Not sure how much that matters, but I thought I'd point it out.
Oops. As you identified that was meant to be 300 not 500.. failed when I switched in the working value after testing with a really small number!
Patch for wp-mail.php