[wp-trac] Re: [WordPress Trac] #4344: Posting comments from
	external websites
    WordPress Trac 
    wp-trac at lists.automattic.com
       
    Sun May 27 11:32:52 GMT 2007
    
    
  
#4344: Posting comments from external websites
-----------------------+----------------------------------------------------
 Reporter:  PsychoGun  |        Owner:  anonymous
     Type:  defect     |       Status:  closed   
 Priority:  high       |    Milestone:           
Component:  Security   |      Version:           
 Severity:  normal     |   Resolution:  invalid  
 Keywords:             |  
-----------------------+----------------------------------------------------
Changes (by westi):
  * status:  reopened => closed
  * resolution:  => invalid
Comment:
 This is protected by a nonce check for any user with unfiltered html:
 default-filters.php - Adds a nonce to the comment form:
 http://trac.wordpress.org/browser/tags/2.2/wp-includes/default-
 filters.php#L34
 comment-template.php - nonce is added using this code:
 http://trac.wordpress.org/browser/trunk/wp-includes/comment-
 template.php#L274
 wp-comments-post.php - and nonce is checked here:
 http://trac.wordpress.org/browser/tags/2.2/wp-comments-post.php#L38
 This means that any comment post by the admin - or any other user with the
 unfiltered html capability must have a valid nonce or the comment is
 filtered as it would be for any other user using kses.
 Therefore this report is invalid.
-- 
Ticket URL: <http://trac.wordpress.org/ticket/4344#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
    
    
More information about the wp-trac
mailing list