Ticket #5130 (new defect)

Opened 9 months ago

Last modified 6 months ago

Linking to multiple posts on your site breaks pingback due to comment flooding

Reported by: Denis-de-Bernardy Assigned to: anonymous
Priority: normal Milestone: 2.6
Component: General Version: 2.3
Severity: normal Keywords:
Cc: scottsm

Description

http://scott.sherrillmix.com/blog/programmer/web/wp_pingpreserver/

is this useful in WP 2.3?

Change History

10/12/07 01:12:40 changed by Otto42

  • summary changed from pingPreserver to Linking to multiple posts on your own site breaks pingback due to comment flooding.
  • version set to 2.3.
  • milestone changed from 2.5 to 2.4.

Useful, sure. But not particularly safe. The method he's using basically just opens up the ability for a comment flood through the xmlrpc pingback door.

A better approach would be to detect self-pings and perform them in a more direct manner, instead of through an http connection to xmlrpc. Preferably through an action of some kind, so self-pings can easily be disabled.

10/12/07 16:39:02 changed by foolswisdom

  • milestone changed from 2.4 to 2.5.

Leaving as MS 2.5 until patch provided or developer takes ownership of the ticket.

01/22/08 00:15:39 changed by scottsm

I'm the writer of the plugin. Sorry about the late comment, I never realized this made it up here until I was looking around today.

Anyway, I was worried about the possibility of a comment flood through the xmlrpc but since I haven't yet [knock on wood] ran into a comment flood but have been (slightly) annoyed with missing pings I figured I'd give this way a try. Detecting self-pings would be good but it seems like it would also be good to catch legitimate multiple pings from other blogs so I guess that wouldn't work.

So I guess that means fixing this would require some method similar to the plugin. It is worth mentioning that the plugin is only letting 5 pings through in 15 seconds compared to the default 1. What if the limit on pings was no more than 5 in say 75 seconds? That would offer the same protection as the current comment_flood_filter but still allow multiple pings.

This could be done easily by adding: 

if (($time_newcomment - $time_lastcomment) < 15 ){
  if(strpos($_SERVER['PHP_SELF'],"xmlrpc.php")!==false){
    $pings=$wpdb->get_var("SELECT COUNT(comment_date_gmt) FROM $wpdb->comments 
            WHERE comment_author_IP = '".$_SERVER['REMOTE_ADDR']."' AND
            TIME_TO_SEC(TIMEDIFF(now(),comment_date_gmt)) < 75");
    if($pings>5) return true;
  } else return true;
}

to function wp_throttle_comment_flood in comment.php.

01/22/08 00:35:55 changed by scottsm

Oh and the title "Linking to multiple posts on your own site breaks pingback due to comment flooding" doesn't cover the whole problem. An outside site linking to multiple posts on your own site also breaks pingback due to comment flooding. I've seen a decent number of times in my limited blogging experience where people have linked to more than one of my posts yet only one ping has shown up. I really like how pings improve the interconnectedness of blogging but the comment flood protection is getting in the way (unnecessarily?).

01/22/08 00:41:59 changed by scottsm

  • cc set to scottsm.

01/22/08 00:42:26 changed by scottsm

  • summary changed from Linking to multiple posts on your own site breaks pingback due to comment flooding to Linking to multiple posts on your site breaks pingback due to comment flooding.