Robert Chapin

On the bright side we have the same file size, whatever it may contain.

Could someone delete that topic for me so I can start over?

This also duplicates https://trac.www.ads-software.com/ticket/7821

I found the fix in https://svn.automattic.com/wordpress/trunk/wp-includes/comment.php

Marking this topic resolved now. Thanks again mrmist for pointing me in the right direction.

Okay I think I found the right page from your “an open ticket” link.

https://trac.www.ads-software.com/ticket/8517

Thank you mrmist. For the sake of this conversation I have opened wordpress-2.6.5.zip and found the same code is still being used in check_comment().

I don’t remember opening a ticket here before. How would I begin?

Whooami, I hope you are not the person in charge of security here because your replies are irresponsible.

I have identified the full regex problem now.

default-filters.php calls

add_filter(‘comment_text’, ‘make_clickable’, 9);

And in formatting.php we have

function make_clickable($ret) {
$ret = ‘ ‘ . $ret;
// in testing, using arrays here was found to be faster
$ret = preg_replace_callback(‘#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is’, ‘_make_url_clickable_cb’, $ret);
$ret = preg_replace_callback(‘#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is’, ‘_make_web_ftp_clickable_cb’, $ret);
$ret = preg_replace_callback(‘#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i’, ‘_make_email_clickable_cb’, $ret);
// this one is not in an array because we need it to run last, for cleanup of accidental links within links
$ret = preg_replace(“#(<a( [^>]+?>|>))]+?>([^>]+?)#i”, “$1$3”, $ret);
$ret = trim($ret);
return $ret;
}

Now contrast this against the filter being used by check_comment(), which is only “|(href\t*?=\t*?[‘\”]?)?(https?:)?//|i”

Whooami, Yes I have confirmed this is actually a comment. I have logged the following client input on my server.

‘202.133.81.158’ Sat, 06 Dec 2008 16:37:30 GMT
/wp-comments-post.php
Array
(
[author] => love2003
[email] => [email protected]
[url] => https://medicindo.blogspot.com
[comment] => Spoke about the matter of the economic crisis, how you faced?
https://www.medicindo.blogspot.com
[submit] => Submit Comment
[comment_post_ID] => 1195
)

The above comment appeared on my blog with no notice and no moderation.

I believe the second bug is in wp_new_comment()

if ( ‘0’ == $commentdata[‘comment_approved’] )
wp_notify_moderator($comment_ID);

As I understand it, the admin is never notified unless the comment is held for moderation (or later in the function, if the admin happens to be the post author).

I have identified the first bug. At the top of comment.php, WordPress is using the wrong regex:

“|(href\t*?=\t*?[‘\”]?)?(https?:)?//|i”

This is the wrong pattern because WordPress is much more liberal about displaying links in comments.

Is this the correct place to report this security problem?

Fixed now. I was using the recommendation from https://www.ads-software.com/support/topic/164667 to change the media.php file and that seems to break the caption system.

Thanks ?? It looks like mostly changes for the WP2.7 beta, so I’ll skip the upgrade.

This issue is resolved by qTranslate version 1.1.3.

Yes that would be great. The only way this will get attention is if people complain!

Thank you fuzzfais! I thought it was just me! And still no word from the qTranslate author ?? Have you tried to contact him?