XML-RPC: Fix length validation of anonymous commenter's email address.

Fix the first step of validating an anonymous commenters in which the length is checked prior to running regular expressions. Follow up to [47808]. Fixes #51595. git-svn-id: https://develop.svn.wordpress.org/trunk@49271 602fd350-edb4-49c9-b593-d223f7449a82
2020-10-22 02:40:06 +00:00 · 2020-10-22 02:40:06 +00:00 · 9aececb374
parent 4143182d6b
commit 9aececb374
2 changed files with 78 additions and 1 deletions
--- a/src/wp-includes/class-wp-xmlrpc-server.php
+++ b/src/wp-includes/class-wp-xmlrpc-server.php
@ -3913,7 +3913,7 @@ class wp_xmlrpc_server extends IXR_Server {
 			$comment['user_ID'] = 0;

 			if ( get_option( 'require_name_email' ) ) {
-				if ( strlen( $comment['comment_author_email'] < 6 ) || '' === $comment['comment_author'] ) {
+				if ( strlen( $comment['comment_author_email'] ) < 6 || '' === $comment['comment_author'] ) {
 					return new IXR_Error( 403, __( 'Comment author name and email are required.' ) );
 				} elseif ( ! is_email( $comment['comment_author_email'] ) ) {
 					return new IXR_Error( 403, __( 'A valid email address is required.' ) );
--- a/tests/phpunit/tests/xmlrpc/wp/newComment.php
+++ b/tests/phpunit/tests/xmlrpc/wp/newComment.php
@ -96,4 +96,81 @@ class Tests_XMLRPC_wp_newComment extends WP_XMLRPC_UnitTestCase {
 		$this->assertIXRError( $result );
 		$this->assertSame( 403, $result->code );
 	}
+
+	/**
+	 * Ensure anonymous comments can be made via XML-RPC.
+	 *
+	 * @ticket 51595
+	 */
+	function test_allowed_anon_comments() {
+		add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' );
+
+		$comment_args = array(
+			1,
+			'',
+			'',
+			self::$post->ID,
+			array(
+				'author'       => 'WordPress',
+				'author_email' => 'noreply@wordpress.org',
+				'content'      => 'Test Anon Comments',
+			),
+		);
+
+		$result = $this->myxmlrpcserver->wp_newComment( $comment_args );
+		$this->assertNotIXRError( $result );
+		$this->assertInternalType( 'int', $result );
+	}
+
+	/**
+	 * Ensure anonymous XML-RPC comments require a valid email.
+	 *
+	 * @ticket 51595
+	 */
+	function test_anon_comments_require_email() {
+		add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' );
+
+		$comment_args = array(
+			1,
+			'',
+			'',
+			self::$post->ID,
+			array(
+				'author'       => 'WordPress',
+				'author_email' => 'noreply at wordpress.org',
+				'content'      => 'Test Anon Comments',
+			),
+		);
+
+		$result = $this->myxmlrpcserver->wp_newComment( $comment_args );
+		$this->assertIXRError( $result );
+		$this->assertSame( 403, $result->code );
+	}
+
+	/**
+	 * Ensure valid users don't use the anon flow.
+	 *
+	 * @ticket 51595
+	 */
+	function test_username_avoids_anon_flow() {
+		add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' );
+
+		$comment_args = array(
+			1,
+			'administrator',
+			'administrator',
+			self::$post->ID,
+			array(
+				'author'       => 'WordPress',
+				'author_email' => 'noreply at wordpress.org',
+				'content'      => 'Test Anon Comments',
+			),
+		);
+
+		$result  = $this->myxmlrpcserver->wp_newComment( $comment_args );
+		$comment = get_comment( $result );
+		$user_id = get_user_by( 'login', 'administrator' )->ID;
+
+		$this->assertSame( $user_id, (int) $comment->user_id );
+	}
 }