From 81b8d747d2951ccd8f924c00b56d4c57a8eaba52 Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Thu, 22 Oct 2020 02:45:47 +0000 Subject: [PATCH] XML-RPC: Fix length validation of anonymous commenter's email address. Fix the first step of validating an anonymous commenters in which the length is checked prior to running regular expressions. Follow up to [47808]. Merges [49271] to the 5.5 branch. Fixes #51595. git-svn-id: https://develop.svn.wordpress.org/branches/5.5@49273 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-xmlrpc-server.php | 2 +- tests/phpunit/tests/xmlrpc/wp/newComment.php | 82 ++++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index d89701cc21..aa6e3d8980 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -3912,7 +3912,7 @@ class wp_xmlrpc_server extends IXR_Server { $comment['user_ID'] = 0; if ( get_option( 'require_name_email' ) ) { - if ( strlen( $comment['comment_author_email'] < 6 ) || '' === $comment['comment_author'] ) { + if ( strlen( $comment['comment_author_email'] ) < 6 || '' === $comment['comment_author'] ) { return new IXR_Error( 403, __( 'Comment author name and email are required.' ) ); } elseif ( ! is_email( $comment['comment_author_email'] ) ) { return new IXR_Error( 403, __( 'A valid email address is required.' ) ); diff --git a/tests/phpunit/tests/xmlrpc/wp/newComment.php b/tests/phpunit/tests/xmlrpc/wp/newComment.php index a44361ae60..b7161c79e9 100644 --- a/tests/phpunit/tests/xmlrpc/wp/newComment.php +++ b/tests/phpunit/tests/xmlrpc/wp/newComment.php @@ -95,4 +95,86 @@ class Tests_XMLRPC_wp_newComment extends WP_XMLRPC_UnitTestCase { $this->assertEquals( 403, $result->code ); } + /** + * Ensure anonymous comments can be made via XML-RPC. + * + * @ticket 51595 + */ + function test_allowed_anon_comments() { + add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' ); + $this->make_user_by_role( 'administrator' ); + $post = self::factory()->post->create_and_get(); + + $comment_args = array( + 1, + '', + '', + $post->ID, + array( + 'author' => 'WordPress', + 'author_email' => 'noreply@wordpress.org', + 'content' => 'Test Anon Comments', + ), + ); + + $result = $this->myxmlrpcserver->wp_newComment( $comment_args ); + $this->assertNotIXRError( $result ); + $this->assertInternalType( 'int', $result ); + } + + /** + * Ensure anonymous XML-RPC comments require a valid email. + * + * @ticket 51595 + */ + function test_anon_comments_require_email() { + add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' ); + $this->make_user_by_role( 'administrator' ); + $post = self::factory()->post->create_and_get(); + + $comment_args = array( + 1, + '', + '', + $post->ID, + array( + 'author' => 'WordPress', + 'author_email' => 'noreply at wordpress.org', + 'content' => 'Test Anon Comments', + ), + ); + + $result = $this->myxmlrpcserver->wp_newComment( $comment_args ); + $this->assertIXRError( $result ); + $this->assertSame( 403, $result->code ); + } + + /** + * Ensure valid users don't use the anon flow. + * + * @ticket 51595 + */ + function test_username_avoids_anon_flow() { + add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' ); + $this->make_user_by_role( 'administrator' ); + $post = self::factory()->post->create_and_get(); + + $comment_args = array( + 1, + 'administrator', + 'administrator', + $post->ID, + array( + 'author' => 'WordPress', + 'author_email' => 'noreply at wordpress.org', + 'content' => 'Test Anon Comments', + ), + ); + + $result = $this->myxmlrpcserver->wp_newComment( $comment_args ); + $comment = get_comment( $result ); + $user_id = get_user_by( 'login', 'administrator' )->ID; + + $this->assertSame( $user_id, (int) $comment->user_id ); + } }