[wp-hackers] WordPress Checking Own Pingbacks - Intended Behavior?

Computer Guru computerguru at neosmart.net
Mon Nov 19 16:20:13 GMT 2007


On 11/19/07, Dougal Campbell <dougal at gunters.org> wrote:
>
> Viper007Bond wrote:
> > I disagree. This is an Akismet issue.
> >
> > Your solution would be to avoid filtering local pingback/trackbacks.
> This is
> > bad and would break some plugins and would provide no way to filter them
> at
> > all.
> >
> > Akismet needs to be smart enough to ignore ****backs from a local
> source.
> >
>
> On the one hand, we *can* look at the source URL provided in a *back,
> compare it to our local blog URL and see if the hostnames match. But on
> the other hand, this does not guarantee that the ping actually came from
> an internal post. There's nothing to stop a Bad Guy from flooding your
> blog with faked pings that claim to be from your own posts.
>
> If you whitelist pings that appear to be from your own blog without
> doing other checks (outside of the pingback/trackback specifications),
> you'll open yourself up for a sort of DoS attack. Really, the only way
> to know if a ping is really local is if you can determine the IP number
> your host uses for outgoing traffic. Which is not necessarily the same
> IP that DNS gives for your blog's hostname. And there's no consistent
> way to determine it in an automated fashion, due to the vast differences
> in operating systems and hosting setups in use out in the wild.
>
> Even if you set up some sort of self-ping verification process to try to
> capture the IP, in many hosting setups there's no guarantee that the IP
> wouldn't change at a future time. In fact, there may be a different
> outgoing IP number on a request-by-request basis (multi-homed networks).
>
> If you want to try to define what a "local" ping is, I think it needs to
> be done in a separate plugin that can examine it before Akismet does,
> and bypass Akismet as needed. The problem is that this theoretical
> plugin isn't necessarily going to be generic enough to cover all
> possible hosting scenarios.
>
> --
> Dougal Campbell <dougal at gunters.org>
> http://dougal.gunters.org/
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

That's overkill though.....

1) What would someone benefit by spammingy our blog with links to itself?

2) Define it to be "local" and valid

a) the pinging post's uri is ^%YOUR_BLOG_URI%.+$

b) pinging post's contents contain a link to yours.

c) pinged post does not already contain link from pinging post.

Wouldn't that do it?

Or, a one-click way: define a new function that directly adds an internal
pingback - it can only be accessed from code, therefore pingback is
guaranteed to be local.

e.g. in the pingback-sending code, do a check like this:

if (strstr($blog_url, $pingeduri))

add_guaranteed_pingback($posturi, $pingbacktext);

Then send it on its merry way....
-- 
Computer Guru
Director,
NeoSmart Technologies
http://neosmart.net/blog/


More information about the wp-hackers mailing list