Skip to content

Commit

Permalink
Use SCRIPT_NAME instead of REQUEST_URI to check path (#585) (#589)
Browse files Browse the repository at this point in the history 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefore the condition would
still recognize if a comment was submitted.
  • Loading branch information
@2ndkauboy
2ndkauboy authored May 15, 2024
1 parent cb75530 commit 0b61f08
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
4 changes: 2 additions & 2 deletions antispam_bee.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1134,7 +1134,7 @@ public static function precheck_incoming_request() {
return;
}

$request_uri = self::get_key( $_SERVER, 'REQUEST_URI' );
$request_uri = self::get_key( $_SERVER, 'SCRIPT_NAME' );
$request_path = self::parse_url( $request_uri, 'path' );

if ( strpos( $request_path, 'wp-comments-post.php' ) === false ) {
Expand Down Expand Up @@ -1168,7 +1168,7 @@ public static function precheck_incoming_request() {
public static function handle_incoming_request( $comment ) {
$comment['comment_author_IP'] = self::get_client_ip();

$request_uri = self::get_key( $_SERVER, 'REQUEST_URI' );
$request_uri = self::get_key( $_SERVER, 'SCRIPT_NAME' );
$request_path = self::parse_url( $request_uri, 'path' );

if ( empty( $request_path ) ) {
Expand Down
4 changes: 2 additions & 2 deletions tests/Unit/AntispamBeeTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ public function test_gets_ip_address() {
$_SERVER['REMOTE_ADDR'] = '192.0.2.1';
$_SERVER['HTTP_X_FORWARDED_FOR'] = '192.0.2.2, 10.0.0.10';
$_SERVER['HTTP_X_REAL_IP'] = 'bogus';
$_SERVER['REQUEST_URI'] = 'https://domain.com/wp-comments-post.php';
$_SERVER['SCRIPT_NAME'] = '/wp-comments-post.php';
$_POST['comment'] = $comment;

$result = Testee::handle_incoming_request( $comment );
Expand Down Expand Up @@ -99,7 +99,7 @@ public function test_spam_reasons( $comment, $reason ) {
$comment = array_merge( $this->get_base_comment(), $comment );

$_SERVER['REMOTE_ADDR'] = '12.23.34.45';
$_SERVER['REQUEST_URI'] = 'https://domain.com/wp-comments-post.php';
$_SERVER['SCRIPT_NAME'] = '/wp-comments-post.php';
$_POST['comment'] = $comment;

// This is where we check for the spam reason that was detected.
Expand Down

0 comments on commit 0b61f08

Please sign in to comment.