[wp-trac] [WordPress Trac] #49956: Spammers able to share unmoderated comments
WordPress Trac
noreply at wordpress.org
Thu Apr 23 13:26:05 UTC 2020
#49956: Spammers able to share unmoderated comments
--------------------------+---------------------
Reporter: jonkolbert | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.4.2
Component: Comments | Version: 5.1
Severity: major | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+---------------------
Comment (by ayeshrajans):
It turns out that WordPress is hesitant on setting any cookies on sites
without explicit consent, so this leaves cookies from the user
verification. Here is a very simple approach of validating the user has
same IP address as the IP address the comment was original left at. This
should take away the incentive for spammer because outside users will not
see this comment even though the exact same URL is used.
This is a very short-sighted fix, and I do not recommend we go down this
road:
1. It uses `$_SERVER['REMOTE_ADDR']`, which is not concrete. Reverse
proxies sometimes do not forward the user IP and this IP needs to be taken
into account.
2. If the WordPress site is caching static responses, or is behind a load-
balancer that caches responses, everyone with the unique URL will get the
comment even though they come from different IP addresses.
I think the security issue the OP mentioned is a serious one that can
affect majority of the WordPress sites out there. I think our step would
be to expose an admin configuration option to disable the URL-scoped
comment preview feature. I know I will immediately disable this feature
instead of dealing with fragile scoping mechanisms.
Alternately, the comment preview can be enabled only for those who consent
to cookies, and the comment preview emits a Vary: cookie header to bust
load-balancer/proxy caching.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49956#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list