Ticket #2931 (closed defect (bug): fixed)

Opened 3 years ago

Last modified 2 years ago

User-Agent Used When Requesting /wp-admin/execute-pings.php?time= Should not be Blank

Reported by: macmanx Assigned to: anonymous
Priority: high Milestone:
Component: Security Version: 2.0.3
Severity: major Keywords: bg|has-patch bg|commit
Cc:

Description

Currently, WordPress (v2.0.3) seems to use a blank user-agent when requesting /wp-admin/execute-pings.php?time=<number>. This is a common technique used by spammers to avoid spam filters. Without a user-agent, requests for files such as this (even if they come from one's own server) can seem very suspicious to the average log-reading user. Similar to the previously reported (and fixed) bug #1713, WordPress should not be employing the use of common spam techniques, and should identify itself with a WordPress user-agent whenever possible.

Attachments

functions.diff (0.8 kB) - added by error on 07/09/06 14:21:04.
wp-includes/functions.php send user agent on execute-pings

Change History

07/09/06 06:10:59 changed by error

  • keywords changed from execute-pings.php user-agent to bg|has-patch.
  • component changed from Administration to Security.

I've put in a patch which looks like it fixes the issue.

07/09/06 14:14:52 changed by darkfate

  • keywords changed from bg|has-patch to bg|has-patch|commit.

07/09/06 14:21:04 changed by error

  • attachment functions.diff added.

wp-includes/functions.php send user agent on execute-pings

07/10/06 00:54:09 changed by macmanx

Thanks for the patch, Error! As far as this specific bug is concerned, it worked perfectly with apparently no adverse effects. As expected, /wp-admin/execute-pings.php?time= was requested with a "WordPress/2.0.3" user-agent.

However, at exactly the same time, something from my server sent a GET request for the test post's URL with no user-agent. Since there was no user-agent present, and since it was only requesting the post's URL, I can't tell if it was WordPress or something else.

This bug really shouldn't be limited to /wp-admin/execute-pings.php?time=, and I apologize for titling it as such. WordPress should always identify itself with a "WordPress/<version>" user-agent whenever possible.

07/10/06 01:09:23 changed by error

  • keywords changed from bg|has-patch|commit to bg|has-patch bg|commit.

Well, yes, I agree that it should. Unfortunately, WP is still quite full of duplicate code, and more seems to get added all the time. Oh well. Topic for another bug, maybe?

07/26/06 17:45:21 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [4048]) Don't use blank user agent when pinging. Props error. fixes #2931

11/30/06 19:41:50 changed by

  • milestone deleted.

Milestone 2.0.4 deleted