From 0fdb955ce8c8dcc30412617096896137f7717142 Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Fri, 18 Nov 2016 21:13:32 +0000 Subject: [PATCH] REST API: On Comment create, limit the ability to set the `author_ip` value directly. Users without the moderate_comments capability can no longer set the `author_ip` property directly, and instead receive a `WP_Error` if they attempt to do so. Otherwise, the `author_ip property` is populated from `$_SERVER['REMOTE_ADDR']` if present and a valid IP value. Finally, fallback to 127.0.0.1 as a last resort. Props dd32, rachelbaker, joehoyle. Fixes #38819. Built from https://develop.svn.wordpress.org/trunk@39302 git-svn-id: http://core.svn.wordpress.org/trunk@39242 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../class-wp-rest-comments-controller.php | 15 ++++++++++++--- wp-includes/version.php | 2 +- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index d90b949244..c8efdf1683 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -371,12 +371,18 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { return new WP_Error( 'rest_comment_login_required', __( 'Sorry, you must be logged in to comment.' ), array( 'status' => 401 ) ); } - // Limit who can set comment `author` or `status` to anything other than the default. + // Limit who can set comment `author`, `author_ip` or `status` to anything other than the default. if ( isset( $request['author'] ) && get_current_user_id() !== $request['author'] && ! current_user_can( 'moderate_comments' ) ) { /* translators: %s: request parameter */ return new WP_Error( 'rest_comment_invalid_author', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'author' ), array( 'status' => rest_authorization_required_code() ) ); } + if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) { + if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) { + return new WP_Error( 'rest_comment_invalid_author_ip', __( 'Sorry, you are not allowed to set author_ip for comments.' ), array( 'status' => rest_authorization_required_code() ) ); + } + } + if ( isset( $request['status'] ) && ! current_user_can( 'moderate_comments' ) ) { /* translators: %s: request parameter */ return new WP_Error( 'rest_comment_invalid_status', sprintf( __( "Sorry, you are not allowed to edit '%s' for comments." ), 'status' ), array( 'status' => rest_authorization_required_code() ) ); @@ -1041,8 +1047,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { $prepared_comment['comment_author_url'] = $request['author_url']; } - if ( isset( $request['author_ip'] ) ) { + if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) { $prepared_comment['comment_author_IP'] = $request['author_ip']; + } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) { + $prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR']; + } else { + $prepared_comment['comment_author_IP'] = '127.0.0.1'; } if ( ! empty( $request['author_user_agent'] ) ) { @@ -1119,7 +1129,6 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { 'type' => 'string', 'format' => 'ip', 'context' => array( 'edit' ), - 'default' => '127.0.0.1', ), 'author_name' => array( 'description' => __( 'Display name for the object author.' ), diff --git a/wp-includes/version.php b/wp-includes/version.php index af01432cc7..5392cf1ad9 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta4-39301'; +$wp_version = '4.7-beta4-39302'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.