[wp-trac] [WordPress Trac] #10975: comment form nonce
WordPress Trac
wp-trac at lists.automattic.com
Tue Oct 20 01:01:50 UTC 2009
#10975: comment form nonce
-------------------------+--------------------------------------------------
Reporter: tellyworth | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Unassigned
Component: General | Version:
Severity: normal | Keywords: has-patch, dev-feedback
-------------------------+--------------------------------------------------
Comment(by tellyworth):
"I don't see what this solves. I assume it's attempting to prevent
automated commenting by bots. The nonce will be identical for every non-
logged in visitor so it'll be very easy for an automated comment bot to
get this nonce and use it in its requests, and then we're back to square
one."
It blocks several things:
1. Dumb bots that just drive-by POST without fetching the page. These are
still very common, so it will block a substantial amount of spam.
2. XSS attacks that try to defeat spam filters by tricking real people
into submitting an anonymous comment on another blog. Currently rare, but
there's no reason to wait until it becomes common.
3. Slightly less dumb bots that do a single fetch on a blog first, then
submit many comments on multiple posts. This won't work with the patch
applied because the nonce is unique to each post.
This is not intended to block all spam (that's the job of specialized
plugins), just raise the bar a little by eliminating the simplest attacks.
filosofo, incorporating the client's IP address would block some
legitimate comments. There is scope for hashing and checking additional
info, but I think that's the job of spam filtering plugins, not core (that
sort of stuff has to change frequently for it to be effective).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10975#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list