Skip to content

Use SCRIPT_NAME instead of REQUEST_URI to check path#589

Merged
stklcode merged 2 commits into
masterfrom
fix/585-use-script-name-for-request-path
May 15, 2024
Merged

Use SCRIPT_NAME instead of REQUEST_URI to check path#589
stklcode merged 2 commits into
masterfrom
fix/585-use-script-name-for-request-path

Conversation

@2ndkauboy
Copy link
Copy Markdown
Member

@2ndkauboy 2ndkauboy commented May 6, 2024

The script is currently checking if the REQUEST_URI is containing wp-comments-post.php, the default script to handle the submission of a comment. Some security plugins have options to rename this file to disguise that WordPress is used.

With this fix, the SCRIPT_NAME is used instead. Since many security plugins do use rewrite rules, while the REQUEST_URI value is changed, the SCRIPT_NAME value stays the same. Therefore, the condition would still recognize if a comment was submitted.

Fixes #585

@2ndkauboy
Use SCRIPT_NAME instead of REQUEST_URI to check path
230bbcd 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefore the condition would
still recognize if a comment was submitted.

Fixes #585
@2ndkauboy 2ndkauboy requested review from Zodiac1978 and stklcode May 6, 2024 19:57
@2ndkauboy 2ndkauboy force-pushed the fix/585-use-script-name-for-request-path branch from 230bbcd to e861fcd Compare May 7, 2024 19:06
stklcode
stklcode reviewed May 7, 2024
View reviewed changes
Comment thread tests/Unit/AntispamBeeTest.php Outdated
@2ndkauboy 2ndkauboy closed this May 7, 2024
@2ndkauboy 2ndkauboy force-pushed the fix/585-use-script-name-for-request-path branch from e861fcd to cb75530 Compare May 7, 2024 19:38
@2ndkauboy
Copy link
Copy Markdown
Member Author

2ndkauboy commented May 7, 2024

Somehow, I accidentally closed the PR 🤔

@2ndkauboy 2ndkauboy reopened this May 7, 2024
@2ndkauboy 2ndkauboy requested a review from stklcode May 7, 2024 20:10
@2ndkauboy 2ndkauboy force-pushed the fix/585-use-script-name-for-request-path branch from f68532c to 899df20 Compare May 7, 2024 20:16
@stklcode stklcode force-pushed the fix/585-use-script-name-for-request-path branch 6 times, most recently from b4ed229 to 899df20 Compare May 13, 2024 19:19
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 13, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@Zodiac1978
Copy link
Copy Markdown
Member

Zodiac1978 commented May 13, 2024

Possible alternative approach:

johndarrel/hide-my-wp#2 (comment)

@2ndkauboy
Copy link
Copy Markdown
Member Author

2ndkauboy commented May 13, 2024

@Zodiac1978 I don't think it's an alternative approach, it's just another step. Currently, the condition is the following:

strpos( $request_path, 'wp-comments-post.php' ) !== false

The $request_path used to be the REQUEST_URI, which would change, if a security plugin "changes this script name" using a rewrite rule. By using SCRIPT_NAME, we make sure we get the script name of the actual script that handles the request.

This is only affecting the left side of the condition and the first parameter $request_path. With home_url(), we could replace the second parameter, the static wp-comments-post.php string. But this would still not solve the issue. Replacing the first parameter with home_url(), the condition would most probably always be true, right?

Since this PR resolves the issue, I would not introduce a new function call (twice), we probably don't need.

@stklcode
Copy link
Copy Markdown
Contributor

stklcode commented May 13, 2024

home_url(…) should equal REQUEST_URI. But I don’t see much of a benefit over the (cheaper) SCRIPT_NAME comparison.

@2ndkauboy
Copy link
Copy Markdown
Member Author

2ndkauboy commented May 13, 2024

The home_url() path is not looking at any $_SERVER values at all. All it does (in this case) is prepending the path with a slash. So calling home_url('wp-comments-post.php', 'relative') does always return /wp-comments-post.php, unless there is a filter hooking into home_url, which Hide My WP does not seem to do. So this is no solution.

@Zodiac1978 are you also OK to merge this then?

@Zodiac1978
Copy link
Copy Markdown
Member

Zodiac1978 commented May 15, 2024

are you also OK to merge this then?

I just asked the author and if his approach is not smart, let's do it better.

From my understanding, it would still solve the issue with his plugin, so yes, I'm fine with PR!

Zodiac1978
Zodiac1978 approved these changes May 15, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@Zodiac1978 Zodiac1978 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@stklcode stklcode merged commit 0b61f08 into master May 15, 2024
@2ndkauboy 2ndkauboy deleted the fix/585-use-script-name-for-request-path branch May 16, 2024 07:49
stklcode added a commit that referenced this pull request May 16, 2024
@stklcode
Use SCRIPT_NAME instead of REQUEST_URI to check path (#585) (#589)
54d7052 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefor the condition would
still recognize if a comment was submitted.

Original fix by @2ndkauboy in #589, adapted to v3.
@stklcode stklcode mentioned this pull request May 16, 2024
Merged
stklcode added a commit that referenced this pull request May 16, 2024
@stklcode
Use SCRIPT_NAME instead of REQUEST_URI to check path (#585) (#593)
3c110f0 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefor the condition would
still recognize if a comment was submitted.

Original fix by @2ndkauboy in #589, adapted to v3.
stklcode added a commit that referenced this pull request May 16, 2024
@stklcode
fix: use SCRIPT_NAME instead of REQUEST_URI to check path (#585) (#593)
e89b9b7 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefor the condition would
still recognize if a comment was submitted.

Original fix by @2ndkauboy in #589, adapted to v3.
@stklcode stklcode added this to the 2.11.7 milestone May 16, 2024
stklcode added a commit that referenced this pull request May 22, 2024
@stklcode
fix: use SCRIPT_NAME instead of REQUEST_URI to check path (#585) (#593)
73fc738 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefor the condition would
still recognize if a comment was submitted.

Original fix by @2ndkauboy in #589, adapted to v3.
2ndkauboy pushed a commit that referenced this pull request Nov 1, 2024
@stklcode @2ndkauboy
fix: use SCRIPT_NAME instead of REQUEST_URI to check path (#585) (#593)
a971124 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefor the condition would
still recognize if a comment was submitted.

Original fix by @2ndkauboy in #589, adapted to v3.
stklcode added a commit that referenced this pull request Nov 1, 2024
@stklcode
fix: use SCRIPT_NAME instead of REQUEST_URI to check path (#585) (#593)
53e0de9 
The script is currently checking if the `REQUEST_URI` is containing
`wp-comments-post.php`, the default script to handle the submission
of a comment. Some security plugins have options to rename this file
to disguise that WordPress is used.

With this fix, the `SCRIPT_NAME` is used instead. Since many security
plugins do use rewrite rules, while the `REQUEST_URI` value is changed,
the `SCRIPT_NAME` value stays the same. Therefor the condition would
still recognize if a comment was submitted.

Original fix by @2ndkauboy in #589, adapted to v3.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Zodiac1978 Zodiac1978 Zodiac1978 approved these changes

@stklcode stklcode stklcode approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.11.7

Development

Successfully merging this pull request may close these issues.

Hide My WP Ghost - Security Obfuscation

3 participants

@2ndkauboy @Zodiac1978 @stklcode