SECURITY: Discussion Settings Do Not Work in 2.6.1

I have identified the first bug. At the top of comment.php, WordPress is using the wrong regex:

“|(href\t*?=\t*?[‘\”]?)?(https?:)?//|i”

This is the wrong pattern because WordPress is much more liberal about displaying links in comments.

Is this the correct place to report this security problem?

firstly, have you determined that what you are seeing is actually a comment. Supposed bug reports that 1.) appear months after a release is deemed obsolete, and 2.) would have been previously noticed by thousands of other users are highly suspect as being legitimate.

I suspect there is something else going on. No offense.. but youre not exactly the first person to have comment moderation and notification turned on.

I believe the second bug is in wp_new_comment()

if ( ‘0’ == $commentdata[‘comment_approved’] )
wp_notify_moderator($comment_ID);

As I understand it, the admin is never notified unless the comment is held for moderation (or later in the function, if the admin happens to be the post author).

Whooami, Yes I have confirmed this is actually a comment. I have logged the following client input on my server.

‘202.133.81.158’ Sat, 06 Dec 2008 16:37:30 GMT
/wp-comments-post.php
Array
(
[author] => love2003
[email] => [email protected]
[url] => https://medicindo.blogspot.com
[comment] => Spoke about the matter of the economic crisis, how you faced?
https://www.medicindo.blogspot.com
[submit] => Submit Comment
[comment_post_ID] => 1195
)

The above comment appeared on my blog with no notice and no moderation.

im missing your point. Comment notifications and moderation works fine in that exploitable version of wordpress that you are using.

countless people have used both.

As I understand it, the admin is never notified unless the comment is held for moderation (or later in the function, if the admin happens to be the post author).

if you look in the wp-admin, the settings for that are right there:

E-mail me whenever:
>> E-mail me whenever Anyone posts a comment
>> A comment is held for moderation

With the caveat that admins do NOT get notified when someone comments on a post that they didnt write. Thats correct, and thats intentional.

If you trust someone enough to write, you need to trust someone enough to moderate the comments to what it is, they wrote..

I have identified the full regex problem now.

default-filters.php calls

add_filter(‘comment_text’, ‘make_clickable’, 9);

And in formatting.php we have

function make_clickable($ret) {
$ret = ‘ ‘ . $ret;
// in testing, using arrays here was found to be faster
$ret = preg_replace_callback(‘#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is’, ‘_make_url_clickable_cb’, $ret);
$ret = preg_replace_callback(‘#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is’, ‘_make_web_ftp_clickable_cb’, $ret);
$ret = preg_replace_callback(‘#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i’, ‘_make_email_clickable_cb’, $ret);
// this one is not in an array because we need it to run last, for cleanup of accidental links within links
$ret = preg_replace(“#(<a( [^>]+?>|>))]+?>([^>]+?)#i”, “$1$3”, $ret);
$ret = trim($ret);
return $ret;
}

Now contrast this against the filter being used by check_comment(), which is only “|(href\t*?=\t*?[‘\”]?)?(https?:)?//|i”

Whooami, I hope you are not the person in charge of security here because your replies are irresponsible.

Correctness or otherwise aside for the time being, there is an open ticket on the wording of the notification settings, which could be taken to be somewhat misleading.

If you believe that the pattern matching is wrong, I’d suggest opening a ticket with your preferred changes in it. But I’d open it against a current version of WP, rather than 2.6.1. (The code, incidentally, is the same.)

Thank you mrmist. For the sake of this conversation I have opened wordpress-2.6.5.zip and found the same code is still being used in check_comment().

I don’t remember opening a ticket here before. How would I begin?

Okay I think I found the right page from your “an open ticket” link.

https://trac.www.ads-software.com/ticket/8517

This also duplicates https://trac.www.ads-software.com/ticket/7821

I found the fix in https://svn.automattic.com/wordpress/trunk/wp-includes/comment.php

Marking this topic resolved now. Thanks again mrmist for pointing me in the right direction.