[wp-trac] [WordPress Trac] #36766: Improve Source Verification in Pingbacks and Add Filter
WordPress Trac
noreply at wordpress.org
Thu May 5 15:26:59 UTC 2016
#36766: Improve Source Verification in Pingbacks and Add Filter
------------------------------+-----------------------------
Reporter: dshanske | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Pings/Trackbacks | Version:
Severity: normal | Keywords:
Focuses: |
------------------------------+-----------------------------
Like the do_pings code, the source verification should make a HEAD request
to the site, retrieving the content type and rejecting images, video, or
audio from being downloaded at all, removing a possible attack vector. The
content-type check, which is not currently done by the code, is in the
specification. "''It then requests the content of
http://alice.example.org/#p123 and checks the Content-Type of the entity
returned to make sure it is text of some sort.''"
For display purposes, the content-type should also be passed into the
$commentdata for use in preprocessing.
The current code goes through the remote source replacing possible links
to content to generate an except. However, while the specification only
notes retrieving an 'extract of the page content surrounding the link' as
an example of content that might be retrieved, and says nothing about
display and most people agree the [...] excerpt display isn't exactly
attractive.
The code should verify the source on a plaintext level before anything
else and fail immediately, then pass the result of that, along with the
source and the retrieved content-type to a filter for more complicated
checks if needed. For example, checking to see if it is in proper HTML
format(link in a href or some other proper link type).
We treat pingbacks as a comment type, but pingbacks are generated based on
the source provided.
Related: #34419
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36766>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list