[wp-trac] [WordPress Trac] #13887: comment_whitelist checking in check_comment

WordPress Trac wp-trac at lists.automattic.com
Fri Jun 18 13:28:12 UTC 2010


#13887: comment_whitelist checking in check_comment
--------------------------+-------------------------------------------------
 Reporter:  avereha       |       Owner:       
     Type:  defect (bug)  |      Status:  new  
 Priority:  high          |   Milestone:  3.0.1
Component:  Comments      |     Version:  2.9.2
 Severity:  normal        |    Keywords:       
--------------------------+-------------------------------------------------

Comment(by dd32):

 The result here is that any url's submitted must have a domain name which
 exists within your blogroll to exploit this loophole. It virtually results
 in the worst case being that pingbacks/trackbacks will bypass the checks
 IF their domain exists within a link, somewhere.

 Currently, a url of 'http://something.com/' will pass as whitelisted if
 you have a site of 'http://google.com/results/something.com/page/2/'

 With attached patch: (default blogroll, so wordpress.org exists within
 it.)

 Before:
 {{{
 string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%localhost%')
 LIMIT 1' (length=72)
 boolean true

 string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%%%') LIMIT 1'
 (length=64)
 boolean true

 string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('%abc%') LIMIT
 1' (length=66)
 boolean false

 string 'SELECT link_id FROM wp_links WHERE link_url LIKE
 ('%wordpress.org%') LIMIT 1' (length=76)
 boolean true
 }}}

 After:
 {{{
 string 'SELECT link_id FROM wp_links WHERE link_url LIKE
 ('http://localhost%') LIMIT 1' (length=78)
 boolean true

 string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://\\%%')
 LIMIT 1' (length=72)
 boolean false

 string 'SELECT link_id FROM wp_links WHERE link_url LIKE ('http://abc%')
 LIMIT 1' (length=72)
 boolean false

 string 'SELECT link_id FROM wp_links WHERE link_url LIKE
 ('http://wordpress.org%') LIMIT 1' (length=82)
 boolean true
 }}}

 Seems like a better idea to check the scheme/domain, not only will it
 prevent the domain existing -somewhere- in a link, but it'll also allow
 the DB to perform the search better i'd assume (thanks to the anchoring
 start, rather than an open-ender)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13887#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list