[buddypress-trac] [BuddyPress] #3545: Endliess loop in activity stream from unknown user

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Wed Sep 7 13:37:40 UTC 2011


#3545: Endliess loop in activity stream from unknown user
-------------------------------+-----------------------------
 Reporter:  webby101           |       Owner:
     Type:  defect             |      Status:  new
 Priority:  normal             |   Milestone:  Future Release
Component:  Activity           |     Version:  1.2.9
 Severity:  major              |  Resolution:
 Keywords:  reporter-feedback  |
-------------------------------+-----------------------------
Changes (by boonebgorges):

 * milestone:  Awaiting Review => Future Release


Comment:

 The redirect stuff has to do with the fact that BP is unable to
 concatenate a URL properly, because it can't find an associated username.
 That, in itself, is not a hack.

 It almost seems as if someone is managing to send a post request to
 BuddyPress that posts an activity item, without being logged in. I'm at a
 loss for how that would happen, however. There are two places where the
 activity posting function is called in BP. One is in the function
 bp_activity_action_post_update(), which handles non-AJAX posts. The other
 is in bp_dtheme_post_update(), which is BP's AJAX handler for activity
 updates. Both are protected against this kind of thing in two ways: 1)
 they have nonce checks, and 2) they check is_user_logged_in(). Nonce
 checks might possibly be faked, but I'm not sure how the
 is_user_logged_in() bit could be, without also having the user_id be
 passed to the function.

 As jjj suggests, I would look through your plugins to see if there are any
 that do activity posts. Search the contents of your plugin directory for
 'bp_activity_post_update' and for 'activity_update'. If you find any
 instances outside of BuddyPress itself, check them out to see if they are
 doing the two checks mentioned above.

 In the interest of clearing out the Awaiting Review milestone, I'm bumping
 this to Future Release. If we can get enough details to reproduce, and we
 discover that it's a BP core problem, we can of course move it to a real
 milestone.

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/3545#comment:2>
BuddyPress <http://buddypress.org/>
BuddyPress


More information about the buddypress-trac mailing list