[wp-trac] [WordPress Trac] #49956: Spammers able to share unmoderated comments
WordPress Trac
noreply at wordpress.org
Thu Apr 23 22:25:03 UTC 2020
#49956: Spammers able to share unmoderated comments
--------------------------+---------------------
Reporter: jonkolbert | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.4.2
Component: Comments | Version: 5.1
Severity: major | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+---------------------
Comment (by peterwilsoncc):
@ayeshrajans Thanks for the patch.
As you mention, obtaining the remote address can be difficult for sites
using a CDN/reverse proxy as they're not included in the request to the
app server to improve caching.
How about this for an approach?
* The moderation is valid once only, ie deleted once the commenter is
redirected to the page.
* If not already the case, when the query string includes `unapproved`
and/or `moderation-hash` the nocache headers are included in the page -
refer to
[http://developer.wordpress.org/reference/functions/nocache_headers/ the
`nocache_headers()` function]
* That the hash is valid could be indicated by the existence of some
comment meta data, it would only be added if a commenter denies the cookie
request and deleted upon display -- this will help keep the comment meta
table clean.
@johnbillion Could I get a second opinion from you on the above approach
-- I'm in two minds about changing meta data on a front end page view but
certainly agree this needs to be fixed.
If it's all to much, I think I'd prefer the approach of you must have a
cookie to preview...
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49956#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list