[wp-trac] [WordPress Trac] #14601: wp_new_comment method doesn't allow passed in values for IP and user-agent
WordPress Trac
noreply at wordpress.org
Tue Jun 23 02:15:37 UTC 2015
#14601: wp_new_comment method doesn't allow passed in values for IP and user-agent
--------------------------------+--------------------------
Reporter: mrutz | Owner: rachelbaker
Type: enhancement | Status: accepted
Priority: normal | Milestone: 4.3
Component: Comments | Version: 3.0.1
Severity: normal | Resolution:
Keywords: rest-api has-patch | Focuses:
--------------------------------+--------------------------
Comment (by dd32):
> Is there a situation where $commentdata is actually just $_POST data? Is
it unreasonable for a plugin to have done that? We need to make sure users
can't control these values.
In a quick look through the `wp-plugins` github account I couldn't see any
plugins using `$_POST` directly, but that's obviously not all of them.
> For API use the REMOTE_ADDR attribute would not be reliable or
populated, and will trigger a PHP Notice of Undefined Index.
@rachelbaker I'm curious as to this - other than a CLI use-case,
REMOTE_ADDR should be set correctly, and if not, should be set in the
bootstrap for the API.. same goes for the user agent..
What's your use-case exactly?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/14601#comment:28>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list