Support » Fixing WordPress » SECURITY: Discussion Settings Do Not Work in 2.6.1

  • Resolved Robert Chapin


    “Hold a comment in the queue if it contains 1 more more links.” This setting does not work. Comments with links are being posted without moderation.

    “E-mail me whenever Anyone posts a comment.” This setting does not work. Comments are being posted without notice to the Admins.

    Akismet is not in use, it is Inactive. I expect WordPress to work without the training wheels.

Viewing 11 replies - 1 through 11 (of 11 total)
  • I have identified the first bug. At the top of comment.php, WordPress is using the wrong regex:


    This is the wrong pattern because WordPress is much more liberal about displaying links in comments.

    Is this the correct place to report this security problem?




    firstly, have you determined that what you are seeing is actually a comment. Supposed bug reports that 1.) appear months after a release is deemed obsolete, and 2.) would have been previously noticed by thousands of other users are highly suspect as being legitimate.

    I suspect there is something else going on. No offense.. but youre not exactly the first person to have comment moderation and notification turned on.

    I believe the second bug is in wp_new_comment()

    if ( ‘0’ == $commentdata[‘comment_approved’] )

    As I understand it, the admin is never notified unless the comment is held for moderation (or later in the function, if the admin happens to be the post author).

    Whooami, Yes I have confirmed this is actually a comment. I have logged the following client input on my server.

    ‘’ Sat, 06 Dec 2008 16:37:30 GMT
    [author] => love2003
    [email] =>
    [url] =>
    [comment] => Spoke about the matter of the economic crisis, how you faced?
    [submit] => Submit Comment
    [comment_post_ID] => 1195

    The above comment appeared on my blog with no notice and no moderation.




    im missing your point. Comment notifications and moderation works fine in that exploitable version of wordpress that you are using.

    countless people have used both.

    As I understand it, the admin is never notified unless the comment is held for moderation (or later in the function, if the admin happens to be the post author).

    if you look in the wp-admin, the settings for that are right there:

    E-mail me whenever:
    >> E-mail me whenever Anyone posts a comment
    >> A comment is held for moderation

    With the caveat that admins do NOT get notified when someone comments on a post that they didnt write. Thats correct, and thats intentional.

    If you trust someone enough to write, you need to trust someone enough to moderate the comments to what it is, they wrote..

    I have identified the full regex problem now.

    default-filters.php calls

    add_filter(‘comment_text’, ‘make_clickable’, 9);

    And in formatting.php we have

    function make_clickable($ret) {
    $ret = ‘ ‘ . $ret;
    // in testing, using arrays here was found to be faster
    $ret = preg_replace_callback(‘#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is’, ‘_make_url_clickable_cb’, $ret);
    $ret = preg_replace_callback(‘#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is’, ‘_make_web_ftp_clickable_cb’, $ret);
    $ret = preg_replace_callback(‘#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i’, ‘_make_email_clickable_cb’, $ret);
    // this one is not in an array because we need it to run last, for cleanup of accidental links within links
    $ret = preg_replace(“#(<a( [^>]+?>|>))]+?>([^>]+?)#i”, “$1$3”, $ret);
    $ret = trim($ret);
    return $ret;

    Now contrast this against the filter being used by check_comment(), which is only “|(href\t*?=\t*?[‘\”]?)?(https?:)?//|i”

    Whooami, I hope you are not the person in charge of security here because your replies are irresponsible.



    Forum Janitor

    Correctness or otherwise aside for the time being, there is an open ticket on the wording of the notification settings, which could be taken to be somewhat misleading.

    If you believe that the pattern matching is wrong, I’d suggest opening a ticket with your preferred changes in it. But I’d open it against a current version of WP, rather than 2.6.1. (The code, incidentally, is the same.)

    Thank you mrmist. For the sake of this conversation I have opened and found the same code is still being used in check_comment().

    I don’t remember opening a ticket here before. How would I begin?

    Okay I think I found the right page from your “an open ticket” link.

    This also duplicates

    I found the fix in

    Marking this topic resolved now. Thanks again mrmist for pointing me in the right direction.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘SECURITY: Discussion Settings Do Not Work in 2.6.1’ is closed to new replies.