[wp-trac] [WordPress Trac] #13791: Prevent comment author impersonation
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 11 03:44:55 UTC 2010
#13791: Prevent comment author impersonation
-------------------------+--------------------------------------------------
Reporter: mdawaffe | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.1
Component: Comments | Version: 2.9.2
Severity: normal | Keywords: has-patch
-------------------------+--------------------------------------------------
Comment(by filosofo):
Replying to [comment:5 mdawaffe]:
> Replying to [comment:4 filosofo]:
> I consider this a Proof of Concept, not a final implementation. A
better UX would be to offer a pre-filled comment form (or redirect back to
the referrer with the form prefilled), and offer the chance to change the
email address or log in.
Something like that would be a necessary part of a spoof check.
> Yes it is. There is a CSRF vulnerability here.
I didn't object to the nonce; fixing that is great.
> It'd be easy to add some style to the comment by a registered user.
OK, but first, that depends on theme designers to implement. Second, if
present that visual cue almost solves the issue by itself: knowing that
someone is posting without login gives you reason for greater skepticism
of that comment and might encourage users to register for that reason.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13791#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list