Private info leak

  • I think, that bad thing to allow all contributor’s able to see IPs of all comments.

    So, i have changed wp-admin/includes/template.php in this way:
    replaced
    <?php _e('IP:') ?> <a href="https://ws.arin.net/cgi-bin/whois.pl?queryinput=<?php comment_author_IP() ?>"><?php comment_author_IP() ?></a>
    in _wp_comment_list_item with

    <?php if ( current_user_can( 'moderate_comments' ) ) { ?>
<?php _e('IP:') ?> <a href="https://ws.arin.net/cgi-bin/whois.pl?queryinput=<?php comment_author_IP() ?>"><?php comment_author_IP() ?></a>
<?php } ?>

    and in _wp_get_comment_list changed SQL from

    $comments = $wpdb->get_results("SELECT SQL_CALC_FOUND_ROWS * FROM $wpdb->comments WHERE
            (comment_author LIKE '%$s%' OR
            comment_author_email LIKE '%$s%' OR
            comment_author_url LIKE ('%$s%') OR
            comment_author_IP LIKE ('%$s%') OR
            comment_content LIKE ('%$s%') ) AND
            comment_approved != 'spam'
            ORDER BY comment_date DESC LIMIT $start, $num");

    to

    $comments = $wpdb->get_results("SELECT SQL_CALC_FOUND_ROWS * FROM $wpdb->comments WHERE
            (comment_author LIKE '%$s%' OR
            comment_author_email LIKE '%$s%' OR
            comment_author_url LIKE ('%$s%') OR
            ".(current_user_can( 'moderate_comments' ) ? " comment_author_IP LIKE ('%$s%') OR " : "")."
            comment_content LIKE ('%$s%') ) AND
            comment_approved != 'spam'
            ORDER BY comment_date DESC LIMIT $start, $num");

  • The topic ‘Private info leak’ is closed to new replies.