WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#8672 closed defect (bug) (fixed)

XML RPC method bug in 2.7 in wp_newComment()

Reported by: screamingtoaster Owned by: josephscott
Milestone: 2.7.1 Priority: high
Severity: critical Version: 2.7
Component: XML-RPC Keywords:
Focuses: Cc:

Description

function wp_newComment($args) in xmlrpc.php has 2 problems with it.

  1. If the userid/password doesn't exist in the system, then the user can't login and an exception is raised. It seems that this was not the desired behavior, since the code following it checks to see if the user is logged in or not. Either the user can login, or an exception is raised, and execution ceases. Note that this code block is never executed, since if the user doesn't exist, an exception is raised at the start of this method. Here's the code:
		if ( !$this->login_pass_ok( $username, $password ) ) {
			$logged_in = false;
			if ( $allow_anon && get_option('comment_registration') )
				return new IXR_Error( 403, __( 'You must be registered to comment' ) );
			else if ( !$allow_anon )
				return $this->error;
		} else {
			$logged_in = true;
			set_current_user( 0, $username );
			if ( !current_user_can( 'moderate_comments' ) )
				return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) );
		}

  1. When trying to post a comment on behalf of a different user (than the one logging in), there are some bugs in the code. The $content_struct is checked for the existence of 'author' 3 times, it should be checking for 'author' and 'author_email' and 'author_url'. Here's the faulty code:
			$comment['comment_author'] = '';
			if ( isset($content_struct['author']) )
				$comment['comment_author'] = $content_struct['author'];
			$comment['comment_author_email'] = '';
			if ( isset($content_struct['author']) )
				$comment['comment_author_email'] = $content_struct['author_email'];
			$comment['comment_author_url'] = '';
			if ( isset($content_struct['author']) )
				$comment['comment_author_url'] = $content_struct['author_url'];
			$comment['user_ID'] = 0;

Attachments (1)

xmlrpc.php.diff (1.1 KB) - added by josephscott 5 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 follow-up: josephscott5 years ago

1- I can't replicate this problem, I've confirmed that for an invalid username/password code does execute to the !$allow_anon check. While an error is stored in $this->error at the time of the user check failing, it isn't used until further into the code. If you can provide detailed steps on how to reproduce the reported problem I'd be happy to help track it down.

2- I don't think we talked about addressing the case where a valid user is trying to leave a comment as someone else. Just before the code block you quoted you'll see a check for $logged_in. If $logged_in is true then we always use their account info to populate the author details. If it's false then we populate the comment author details with the values provided, if they were provided at all.

comment:2 in reply to: ↑ 1 screamingtoaster5 years ago

Replying to josephscott:

Hi Joseph

Thanks for looking into this so quickly. My comments are below.

1- I can't replicate this problem, I've confirmed that for an invalid username/password code does execute to the !$allow_anon check. While an error is stored in $this->error at the time of the user check failing, it isn't used until further into the code. If you can provide detailed steps on how to reproduce the reported problem I'd be happy to help track it down.

I would be glad to give you a copy of my database that contains the data I'm testing against. Please let me know if you want this and I will upload this. Here's a step by step guide for me to encounter this problem:

  1. I create a new admin user (uid:admin, with role:admin)


  1. I create a new regular user (uid:user, with role:contributor)


  1. I create a new comment by calling wp.newComment and pass the uid:user as the user, and ask it to create a comment for a post that has comments open. This then results in an error "org.apache.xmlrpc.XmlRpcException: You are not allowed to moderate comments on this blog."


  1. I can call the same wp.newComment method as uid:admin, and it works; I can then change edit the comment and make the author uid:user.

My question is, I can post a comment as uid:user using the wordpress user interface, but via XMLRPC there seems to be an issue with role capabilities that exceed Contributor. So how are anonymous comments possible. If I don't provide a userid/password to login with, I get another error: "org.apache.xmlrpc.XmlRpcException: Bad login/pass combination.".

So how can I create a comment anonymously with just a author name, email, and url? This code doesn't seem to support this?

2- I don't think we talked about addressing the case where a valid user is trying to leave a comment as someone else. Just before the code block you quoted you'll see a check for $logged_in. If $logged_in is true then we always use their account info to populate the author details. If it's false then we populate the comment author details with the values provided, if they were provided at all.

For this part of the issue, as I've shown for part 1, an anonymous user or non admin user can't post comments, so the part of code that looks for author{name, email, and url} aren't even checked. Even if they were checked, the if/then statements querying the struct are incorrect. The existence of "author" is used to determine whether "author_email", "author_url" should be used.

Please let me know if you need any more information from me. I'm using Java and Apache XMLRPC to get to wordpress. I'm creating a BlackBerry app, as well as a GWT based app to allow editing wordpress blogs.

Thanks,
Nazmul
screamingtoaster@…

comment:3 josephscott5 years ago

Thanks for the detailed feedback on this. After running through this a few more times I think that I've identified the problems.

1- Only users with the 'moderate_comments' capability can submit comments. I believe the initial thought is that really only admin type users would submit comments via this method. If a site choose to allow user registration though, it would be handy for any person with a valid account to submit comments. To make that happen I've simply removed the capability check for non-anonymous comments.

2- When anonymous comments are turned on, we weren't checking properly for the author_email and author_url fields. Looks like a simple typo.

I've included a patch to address both of these items. Can you try this again with my patch and confirm that it fixes the problems you are seeing? Also please note that $allow_anon must be true in order for anonymous comments to be allowed.

josephscott5 years ago

comment:4 ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [10380]) XMLRPC wp_newComment() fixes. Props josephscott. fixes #8672 for trunk

comment:5 ryan5 years ago

(In [10381]) XMLRPC wp_newComment() fixes. Props josephscott. fixes #8672 for 2.7

Note: See TracTickets for help on using tickets.