[wp-hackers] Plugin update & security / privacy

Ryan Finnie ryan at finnie.org
Tue Sep 25 19:01:01 GMT 2007

On 9/25/07, Matt Mullenweg <m at mullenweg.com> wrote:
> Ryan Finnie wrote:
> > Irregardless of WordPress calling home with URL and plugin info (my 2
> > cents: not too bad, but it should be a core option), people seem to be
> > glossing over this.  What is Akismet sending during each spam check?
> Akismet does send *and use* the $_SERVER variables in a spam check,
> however it excludes with this line:
> $ignore = array( 'HTTP_COOKIE' );
> If you file a patch to that array with the other variables you think
> shouldn't be in there I'll get it in. BTW, Akismet's privacy policy is here:
> http://automattic.com/privacy/

What information is used?  I'm not saying that to be a jerk (indeed,
looking through a dump I could find some use for some of the _SERVER
variables, especially for something like Akismet), but my point is
this sort of data gathering should be by include, not exclude.  That
way it's not prone to accidental sensitive information leakage (as
what is happening here).

That being said, since this is an immediate problem, here's a patch
that will solve this specific problem.


Index: wp-content/plugins/akismet/akismet.php
--- wp-content/plugins/akismet/akismet.php      (revision 19874)
+++ wp-content/plugins/akismet/akismet.php      (working copy)
@@ -189,7 +189,7 @@
        $comment['referrer']   = $_SERVER['HTTP_REFERER'];
        $comment['blog']       = get_option('home');

-       $ignore = array( 'HTTP_COOKIE' );
+       $ignore = array( 'HTTP_COOKIE', 'REMOTE_USER', 'AUTH_TYPE',

        foreach ( $_SERVER as $key => $value )
                if ( !in_array( $key, $ignore ) )

More information about the wp-hackers mailing list