[wp-trac] [WordPress Trac] #4533: "Mark as spam" agrees to do its
work even on inappropriate comment ID
WordPress Trac
wp-trac at lists.automattic.com
Mon Jun 25 13:59:47 GMT 2007
#4533: "Mark as spam" agrees to do its work even on inappropriate comment ID
----------------------------+-----------------------------------------------
Reporter: redsweater | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone:
Component: Administration | Version: 2.2.1
Severity: normal | Keywords:
----------------------------+-----------------------------------------------
When spam gets through Akismet, I end up clicking the "Spam It" link from
the email notice. Sometimes I forget that I've spammed it, or I'm not
sure, so I click it again later, after the comment is already gone.
In this case, WordPress is frighteningly agreeable about marking as spam a
comment ID that no longer exists. For instance, supply any other WordPress
root URL in this template:
http://www.red-sweater.com/blog/wp-
admin/comment.php?action=cdc&dt=spam&c=99999999999
(assuming all those 9's are a high enough comment ID to be "non-existant")
WordPress presents a panel offering to mark the comment as spam, but all
the fields are blank (screenshot attached).
It's frightening to have WordPress agree to such a thing, when the comment
doesn't exist. While the result of saying "Yes" is probably safe, it makes
me wonder whether the defect could lead to an unexpectedly harmful SQL
query.
WordPress should detect the non-existence of the comment ID and present an
appropriate "no such comment" panel instead.
--
Ticket URL: <http://trac.wordpress.org/ticket/4533>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list