[wp-trac] [WordPress Trac] #8672: XML RPC method bug in 2.7 in wp_newComment()

WordPress Trac wp-trac at lists.automattic.com
Thu Dec 18 21:59:55 GMT 2008 

#8672: XML RPC method bug in 2.7 in wp_newComment()
------------------------------+---------------------------------------------
 Reporter:  screamingtoaster  |       Owner:  josephscott
     Type:  defect (bug)      |      Status:  new        
 Priority:  high              |   Milestone:  2.7.1      
Component:  XML-RPC           |     Version:  2.7        
 Severity:  critical          |    Keywords:             
------------------------------+---------------------------------------------
 '''function wp_newComment($args) in xmlrpc.php has 2 problems with it.'''

 1. If the userid/password doesn't exist in the system, then the user can't
 login and an exception is raised. It seems that this was not the desired
 behavior, since the code following it checks to see if the user is logged
 in or not. Either the user can login, or an exception is raised, and
 execution ceases. Note that this code block is never executed, since if
 the user doesn't exist, an exception is raised at the start of this
 method. Here's the code:


 {{{
                 if ( !$this->login_pass_ok( $username, $password ) ) {
                         $logged_in = false;
                         if ( $allow_anon &&
 get_option('comment_registration') )
                                 return new IXR_Error( 403, __( 'You must
 be registered to comment' ) );
                         else if ( !$allow_anon )
                                 return $this->error;
                 } else {
                         $logged_in = true;
                         set_current_user( 0, $username );
                         if ( !current_user_can( 'moderate_comments' ) )
                                 return new IXR_Error( 403, __( 'You are
 not allowed to moderate comments on this blog.' ) );
                 }

 }}}


 2. When trying to post a comment on behalf of a different user (than the
 one logging in), there are some bugs in the code. The $content_struct is
 checked for the existence of 'author' 3 times, it should be checking for
 'author' and 'author_email' and 'author_url'. Here's the faulty code:


 {{{
                         $comment['comment_author'] = '';
                         if ( isset($content_struct['author']) )
                                 $comment['comment_author'] =
 $content_struct['author'];
                         $comment['comment_author_email'] = '';
                         if ( isset($content_struct['author']) )
                                 $comment['comment_author_email'] =
 $content_struct['author_email'];
                         $comment['comment_author_url'] = '';
                         if ( isset($content_struct['author']) )
                                 $comment['comment_author_url'] =
 $content_struct['author_url'];
                         $comment['user_ID'] = 0;

 }}}

-- 
Ticket URL: <http://trac.wordpress.org/ticket/8672>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list