XML-RPC: Fix length validation of anonymous commenter's email address.
Fix the first step of validating an anonymous commenters in which the length is checked prior to running regular expressions. Follow up to [47808]. Merges [49271] to the 5.5 branch. Fixes #51595. git-svn-id: https://develop.svn.wordpress.org/branches/5.5@49273 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
97ebbdab72
commit
81b8d747d2
@ -3912,7 +3912,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||
$comment['user_ID'] = 0;
|
||||
|
||||
if ( get_option( 'require_name_email' ) ) {
|
||||
if ( strlen( $comment['comment_author_email'] < 6 ) || '' === $comment['comment_author'] ) {
|
||||
if ( strlen( $comment['comment_author_email'] ) < 6 || '' === $comment['comment_author'] ) {
|
||||
return new IXR_Error( 403, __( 'Comment author name and email are required.' ) );
|
||||
} elseif ( ! is_email( $comment['comment_author_email'] ) ) {
|
||||
return new IXR_Error( 403, __( 'A valid email address is required.' ) );
|
||||
|
@ -95,4 +95,86 @@ class Tests_XMLRPC_wp_newComment extends WP_XMLRPC_UnitTestCase {
|
||||
$this->assertEquals( 403, $result->code );
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure anonymous comments can be made via XML-RPC.
|
||||
*
|
||||
* @ticket 51595
|
||||
*/
|
||||
function test_allowed_anon_comments() {
|
||||
add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' );
|
||||
$this->make_user_by_role( 'administrator' );
|
||||
$post = self::factory()->post->create_and_get();
|
||||
|
||||
$comment_args = array(
|
||||
1,
|
||||
'',
|
||||
'',
|
||||
$post->ID,
|
||||
array(
|
||||
'author' => 'WordPress',
|
||||
'author_email' => 'noreply@wordpress.org',
|
||||
'content' => 'Test Anon Comments',
|
||||
),
|
||||
);
|
||||
|
||||
$result = $this->myxmlrpcserver->wp_newComment( $comment_args );
|
||||
$this->assertNotIXRError( $result );
|
||||
$this->assertInternalType( 'int', $result );
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure anonymous XML-RPC comments require a valid email.
|
||||
*
|
||||
* @ticket 51595
|
||||
*/
|
||||
function test_anon_comments_require_email() {
|
||||
add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' );
|
||||
$this->make_user_by_role( 'administrator' );
|
||||
$post = self::factory()->post->create_and_get();
|
||||
|
||||
$comment_args = array(
|
||||
1,
|
||||
'',
|
||||
'',
|
||||
$post->ID,
|
||||
array(
|
||||
'author' => 'WordPress',
|
||||
'author_email' => 'noreply at wordpress.org',
|
||||
'content' => 'Test Anon Comments',
|
||||
),
|
||||
);
|
||||
|
||||
$result = $this->myxmlrpcserver->wp_newComment( $comment_args );
|
||||
$this->assertIXRError( $result );
|
||||
$this->assertSame( 403, $result->code );
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure valid users don't use the anon flow.
|
||||
*
|
||||
* @ticket 51595
|
||||
*/
|
||||
function test_username_avoids_anon_flow() {
|
||||
add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' );
|
||||
$this->make_user_by_role( 'administrator' );
|
||||
$post = self::factory()->post->create_and_get();
|
||||
|
||||
$comment_args = array(
|
||||
1,
|
||||
'administrator',
|
||||
'administrator',
|
||||
$post->ID,
|
||||
array(
|
||||
'author' => 'WordPress',
|
||||
'author_email' => 'noreply at wordpress.org',
|
||||
'content' => 'Test Anon Comments',
|
||||
),
|
||||
);
|
||||
|
||||
$result = $this->myxmlrpcserver->wp_newComment( $comment_args );
|
||||
$comment = get_comment( $result );
|
||||
$user_id = get_user_by( 'login', 'administrator' )->ID;
|
||||
|
||||
$this->assertSame( $user_id, (int) $comment->user_id );
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user