From 9aececb37451b0ca65c1bd59e45139b2461d18f0 Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Thu, 22 Oct 2020 02:40:06 +0000 Subject: [PATCH] XML-RPC: Fix length validation of anonymous commenter's email address. Fix the first step of validating an anonymous commenters in which the length is checked prior to running regular expressions. Follow up to [47808]. Fixes #51595. git-svn-id: https://develop.svn.wordpress.org/trunk@49271 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-xmlrpc-server.php | 2 +- tests/phpunit/tests/xmlrpc/wp/newComment.php | 77 ++++++++++++++++++++ 2 files changed, 78 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 959d0e2c5c..9b9c4f3205 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -3913,7 +3913,7 @@ class wp_xmlrpc_server extends IXR_Server { $comment['user_ID'] = 0; if ( get_option( 'require_name_email' ) ) { - if ( strlen( $comment['comment_author_email'] < 6 ) || '' === $comment['comment_author'] ) { + if ( strlen( $comment['comment_author_email'] ) < 6 || '' === $comment['comment_author'] ) { return new IXR_Error( 403, __( 'Comment author name and email are required.' ) ); } elseif ( ! is_email( $comment['comment_author_email'] ) ) { return new IXR_Error( 403, __( 'A valid email address is required.' ) ); diff --git a/tests/phpunit/tests/xmlrpc/wp/newComment.php b/tests/phpunit/tests/xmlrpc/wp/newComment.php index 5534099097..c654c46a56 100644 --- a/tests/phpunit/tests/xmlrpc/wp/newComment.php +++ b/tests/phpunit/tests/xmlrpc/wp/newComment.php @@ -96,4 +96,81 @@ class Tests_XMLRPC_wp_newComment extends WP_XMLRPC_UnitTestCase { $this->assertIXRError( $result ); $this->assertSame( 403, $result->code ); } + + /** + * Ensure anonymous comments can be made via XML-RPC. + * + * @ticket 51595 + */ + function test_allowed_anon_comments() { + add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' ); + + $comment_args = array( + 1, + '', + '', + self::$post->ID, + array( + 'author' => 'WordPress', + 'author_email' => 'noreply@wordpress.org', + 'content' => 'Test Anon Comments', + ), + ); + + $result = $this->myxmlrpcserver->wp_newComment( $comment_args ); + $this->assertNotIXRError( $result ); + $this->assertInternalType( 'int', $result ); + } + + /** + * Ensure anonymous XML-RPC comments require a valid email. + * + * @ticket 51595 + */ + function test_anon_comments_require_email() { + add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' ); + + $comment_args = array( + 1, + '', + '', + self::$post->ID, + array( + 'author' => 'WordPress', + 'author_email' => 'noreply at wordpress.org', + 'content' => 'Test Anon Comments', + ), + ); + + $result = $this->myxmlrpcserver->wp_newComment( $comment_args ); + $this->assertIXRError( $result ); + $this->assertSame( 403, $result->code ); + } + + /** + * Ensure valid users don't use the anon flow. + * + * @ticket 51595 + */ + function test_username_avoids_anon_flow() { + add_filter( 'xmlrpc_allow_anonymous_comments', '__return_true' ); + + $comment_args = array( + 1, + 'administrator', + 'administrator', + self::$post->ID, + array( + 'author' => 'WordPress', + 'author_email' => 'noreply at wordpress.org', + 'content' => 'Test Anon Comments', + ), + ); + + $result = $this->myxmlrpcserver->wp_newComment( $comment_args ); + $comment = get_comment( $result ); + $user_id = get_user_by( 'login', 'administrator' )->ID; + + $this->assertSame( $user_id, (int) $comment->user_id ); + } }