#3643 closed defect (bug) (invalid)
Spam bots can still submit coments, even if the feature is disabled
Reported by: | sendspace | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | major | Version: | 2.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Hi,
I have looked through the closed tickets for v2.1 but did not find this mentioned.
Even though blogs with disabled comments no longer produce the link to submit a comment spambots know the URLs and forms. They submit comments directly to the comment script and by doing so bypass 'comments disabled'.
I would suggest adding a check at the actual comment submission script in order to prevent this from happening.
Thanks,
Richard
Change History (9)
#1
@
17 years ago
- Component changed from Administration to Security
- Milestone changed from 2.2 to 2.1.1
#4
@
17 years ago
- Priority changed from low to normal
- Resolution invalid deleted
- Status changed from closed to reopened
I had this problem also, and I am sure I set both the setting on the post, and in options to not allow comments. In addition, it was set to require a logged in user for commenting, and there are none.
I'm no expert in php, so correct me if I'm wrong, but I don't think that script actually kills it.
It is not die() in the code, it is wp_die(), a function set in wp_includes/functions.php.
Looking at the code there, I see no reference to the actual "die()" function that would kill the script.
Still looking around, I might be missing something, but I don't even see the functions.php file included in the wp_comments_post.php file.
Reopening the ticket.
#5
@
17 years ago
- Priority changed from normal to high
- Severity changed from normal to major
As a security bug, it should be a bit more important.
#6
@
17 years ago
- Resolution set to invalid
- Status changed from reopened to closed
functions.php is included (gradually) by wp-config.php.
And in wp_die(), line 1361 of functions.php, is die().
in
wp-comments-post.php
:You've likely confused the global setting with retroactive comment closing. That setting only affects the default setting for new posts. Old posts comment statuses remain the same.