[wp-hackers] Re: [wp-svn] [2562]
trunk/wp-includes/comment-functions.php: Whitelist from own domain.
Joseph Scott
joseph at randomnetworks.com
Wed Apr 20 23:19:21 GMT 2005
On Apr 20, 2005, at 3:01 PM, m at wordpress.org wrote:
> Revision
> 2562
> Author
> matt
> Date
> 2005-04-20 22:01:24 +0000 (Wed, 20 Apr 2005)
>
> Log Message
> Whitelist from own domain.
> http://mosquito.wordpress.org/view.php?id=999
>
> Modified Files
> trunk/wp-includes/comment-functions.php
>
> Diff
>
>
> trunk/wp-includes/comment-functions.php (2561 => 2562)
> --- trunk/wp-includes/comment-functions.php 2005-04-20 21:56:28
> UTC (rev 2561)
> +++ trunk/wp-includes/comment-functions.php 2005-04-20 22:01:24
> UTC (rev 2562)
> @@ -652,7 +652,9 @@
> if ( 'trackback' == $comment_type || 'pingback' ==
> $comment_type ) { // check if domain is in blogroll
> $uri = parse_url($url);
> $domain = $uri['host'];
> - if ( $wpdb->get_var("SELECT link_id FROM
> $wpdb->links WHERE link_url LIKE ('%$domain%') LIMIT 1") )
> + $uri = parse_url( get_option('home') );
> + $home_domain = $uri['host'];
> + if ( $wpdb->get_var("SELECT link_id FROM
> $wpdb->links WHERE link_url LIKE ('%$domain%') LIMIT 1") || $domain ==
> $home_domain )
> return true;
> else
> return false;
I've only spent a few minutes looking at the code that uses this
(wp-includes/functions-post.php) so please correct me if I'm wrong. My
reading of the code seems to indicate that any comment can now
instantly be approved (skipping checks used to prevent spam) simply by
using the URL that the WP install is running on. If that is the case
then I suggest that this is a really bad idea and will likely be
exploited by spammers.
Again, I've only briefly looked through the code so there may be a
filter or some other component that prevents. I hope that is the case.
--
Joseph Scott
http://joseph.randomnetworks.com/
More information about the wp-hackers
mailing list