WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] SECURITY: Discussion Settings Do Not Work in 2.6.1 (12 posts)

  1. Robert Chapin
    Member
    Posted 5 years ago #

    "Hold a comment in the queue if it contains 1 more more links." This setting does not work. Comments with links are being posted without moderation.

    "E-mail me whenever Anyone posts a comment." This setting does not work. Comments are being posted without notice to the Admins.

    Akismet is not in use, it is Inactive. I expect WordPress to work without the training wheels.

  2. Robert Chapin
    Member
    Posted 5 years ago #

    I have identified the first bug. At the top of comment.php, WordPress is using the wrong regex:

    "|(href\t*?=\t*?['\"]?)?(https?:)?//|i"

    This is the wrong pattern because WordPress is much more liberal about displaying links in comments.

    Is this the correct place to report this security problem?

  3. whooami
    Member
    Posted 5 years ago #

    firstly, have you determined that what you are seeing is actually a comment. Supposed bug reports that 1.) appear months after a release is deemed obsolete, and 2.) would have been previously noticed by thousands of other users are highly suspect as being legitimate.

    I suspect there is something else going on. No offense.. but youre not exactly the first person to have comment moderation and notification turned on.

  4. Robert Chapin
    Member
    Posted 5 years ago #

    I believe the second bug is in wp_new_comment()

    if ( '0' == $commentdata['comment_approved'] )
    wp_notify_moderator($comment_ID);

    As I understand it, the admin is never notified unless the comment is held for moderation (or later in the function, if the admin happens to be the post author).

  5. Robert Chapin
    Member
    Posted 5 years ago #

    Whooami, Yes I have confirmed this is actually a comment. I have logged the following client input on my server.

    '202.133.81.158' Sat, 06 Dec 2008 16:37:30 GMT
    /wp-comments-post.php
    Array
    (
    [author] => love2003
    [email] => tawamutawaku@yahoo.com
    [url] => http://medicindo.blogspot.com
    [comment] => Spoke about the matter of the economic crisis, how you faced?
    http://www.medicindo.blogspot.com
    [submit] => Submit Comment
    [comment_post_ID] => 1195
    )

    The above comment appeared on my blog with no notice and no moderation.

  6. whooami
    Member
    Posted 5 years ago #

    im missing your point. Comment notifications and moderation works fine in that exploitable version of wordpress that you are using.

    countless people have used both.

    As I understand it, the admin is never notified unless the comment is held for moderation (or later in the function, if the admin happens to be the post author).

    if you look in the wp-admin, the settings for that are right there:

    E-mail me whenever:
    >> E-mail me whenever Anyone posts a comment
    >> A comment is held for moderation

    With the caveat that admins do NOT get notified when someone comments on a post that they didnt write. Thats correct, and thats intentional.

    If you trust someone enough to write, you need to trust someone enough to moderate the comments to what it is, they wrote..

  7. Robert Chapin
    Member
    Posted 5 years ago #

    I have identified the full regex problem now.

    default-filters.php calls

    add_filter('comment_text', 'make_clickable', 9);

    And in formatting.php we have

    function make_clickable($ret) {
    $ret = ' ' . $ret;
    // in testing, using arrays here was found to be faster
    $ret = preg_replace_callback('#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_url_clickable_cb', $ret);
    $ret = preg_replace_callback('#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_web_ftp_clickable_cb', $ret);
    $ret = preg_replace_callback('#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i', '_make_email_clickable_cb', $ret);
    // this one is not in an array because we need it to run last, for cleanup of accidental links within links
    $ret = preg_replace("#(<a( [^>]+?>|>))]+?>([^>]+?)#i", "$1$3", $ret);
    $ret = trim($ret);
    return $ret;
    }

    Now contrast this against the filter being used by check_comment(), which is only "|(href\t*?=\t*?['\"]?)?(https?:)?//|i"

  8. Robert Chapin
    Member
    Posted 5 years ago #

    Whooami, I hope you are not the person in charge of security here because your replies are irresponsible.

  9. mrmist
    Forum Janitor
    Posted 5 years ago #

    Correctness or otherwise aside for the time being, there is an open ticket on the wording of the notification settings, which could be taken to be somewhat misleading.

    If you believe that the pattern matching is wrong, I'd suggest opening a ticket with your preferred changes in it. But I'd open it against a current version of WP, rather than 2.6.1. (The code, incidentally, is the same.)

  10. Robert Chapin
    Member
    Posted 5 years ago #

    Thank you mrmist. For the sake of this conversation I have opened wordpress-2.6.5.zip and found the same code is still being used in check_comment().

    I don't remember opening a ticket here before. How would I begin?

  11. Robert Chapin
    Member
    Posted 5 years ago #

    Okay I think I found the right page from your "an open ticket" link.

    http://trac.wordpress.org/ticket/8517

  12. Robert Chapin
    Member
    Posted 5 years ago #

    This also duplicates http://trac.wordpress.org/ticket/7821

    I found the fix in http://svn.automattic.com/wordpress/trunk/wp-includes/comment.php

    Marking this topic resolved now. Thanks again mrmist for pointing me in the right direction.

Topic Closed

This topic has been closed to new replies.

About this Topic