[wp-trac] Re: [WordPress Trac] #3699: wp_update_comment_count() causes some plugins to delete usermeta values

WordPress Trac wp-trac at lists.automattic.com
Sun Jan 28 02:49:18 GMT 2007


#3699: wp_update_comment_count() causes some plugins to delete usermeta values
-------------------------+--------------------------------------------------
 Reporter:  markjaquith  |        Owner:  anonymous
     Type:  defect       |       Status:  closed   
 Priority:  high         |    Milestone:  2.1.1    
Component:  General      |      Version:  2.1      
 Severity:  major        |   Resolution:  wontfix  
 Keywords:               |  
-------------------------+--------------------------------------------------
Changes (by markjaquith):

  * status:  new => closed
  * resolution:  => wontfix

Comment:

 Also a good point.  I don't think you can tag via XMLRPC so people with
 the plugin probably never use it.  It's possible that they've always been
 broken like this.

 One solution is for them to set a hidden form field with a nonce value
 when including the form element they're using.  On the backend they could
 verify the nonce and use that as the check.  Otherwise malicious
 commenters could modify the comment form to include the element used as a
 simple check, and use that method to wipe data.

 Plugin authors should also be checking {{{current_user_can()}}} in their
 {{{edit_post}}}-hooked functions.

 So:

 Set a hidden form field with a nonced value and check it on the back end,
 along with checking {{{current_user_can()}}}.  That gets you capability
 and intention.  I'll write up a post on it.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3699#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list