From 94ab2f9b161935289e54a05fdb2ac99bdb1cc965 Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Thu, 3 Nov 2016 01:12:31 +0000 Subject: [PATCH] REST API: Return an error when the length of a comment field is too long. Introduces `wp_check_comment_data_max_lengths()` which allows both the REST API comments endpoints and `wp_handle_comment_submission()` to check the length of the comment content, author name, author url, and author email fields against their respective database columns. Props rachelbaker, mangeshp, salcode, pento. Fixes #38477. Built from https://develop.svn.wordpress.org/trunk@39101 git-svn-id: http://core.svn.wordpress.org/trunk@39043 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/comment.php | 51 +++++++++++++------ .../class-wp-rest-comments-controller.php | 12 +++++ wp-includes/version.php | 2 +- 3 files changed, 49 insertions(+), 16 deletions(-) diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 7da516266f..8a13723001 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -1121,6 +1121,37 @@ function wp_get_comment_fields_max_lengths() { return apply_filters( 'wp_get_comment_fields_max_lengths', $lengths ); } +/** + * Compares the lengths of comment data against the maximum character limits. + * + * @since 4.7.0 + * + * @param array $comment_data Array of arguments for inserting a comment. + * @return WP_Error|true WP_Error when a comment field exceeds the limit, + * otherwise true. + */ +function wp_check_comment_data_max_lengths( $comment_data ) { + $max_lengths = wp_get_comment_fields_max_lengths(); + + if ( isset( $comment_data['comment_author'] ) && mb_strlen( $comment_data['comment_author'], '8bit' ) > $max_lengths['comment_author'] ) { + return new WP_Error( 'comment_author_column_length', __( 'ERROR: your name is too long.' ), 200 ); + } + + if ( isset( $comment_data['comment_author_email'] ) && strlen( $comment_data['comment_author_email'] ) > $max_lengths['comment_author_email'] ) { + return new WP_Error( 'comment_author_email_column_length', __( 'ERROR: your email address is too long.' ), 200 ); + } + + if ( isset( $comment_data['comment_author_url'] ) && strlen( $comment_data['comment_author_url'] ) > $max_lengths['comment_author_url'] ) { + return new WP_Error( 'comment_author_url_column_length', __( 'ERROR: your url is too long.' ), 200 ); + } + + if ( isset( $comment_data['comment_content'] ) && mb_strlen( $comment_data['comment_content'], '8bit' ) > $max_lengths['comment_content'] ) { + return new WP_Error( 'comment_content_column_length', __( 'ERROR: your comment is too long.' ), 200 ); + } + + return true; +} + /** * Does comment contain blacklisted characters or words. * @@ -3032,7 +3063,6 @@ function wp_handle_comment_submission( $comment_data ) { } $comment_type = ''; - $max_lengths = wp_get_comment_fields_max_lengths(); if ( get_option( 'require_name_email' ) && ! $user->exists() ) { if ( 6 > strlen( $comment_author_email ) || '' == $comment_author ) { @@ -3042,22 +3072,8 @@ function wp_handle_comment_submission( $comment_data ) { } } - if ( isset( $comment_author ) && $max_lengths['comment_author'] < mb_strlen( $comment_author, '8bit' ) ) { - return new WP_Error( 'comment_author_column_length', __( 'ERROR: your name is too long.' ), 200 ); - } - - if ( isset( $comment_author_email ) && $max_lengths['comment_author_email'] < strlen( $comment_author_email ) ) { - return new WP_Error( 'comment_author_email_column_length', __( 'ERROR: your email address is too long.' ), 200 ); - } - - if ( isset( $comment_author_url ) && $max_lengths['comment_author_url'] < strlen( $comment_author_url ) ) { - return new WP_Error( 'comment_author_url_column_length', __( 'ERROR: your url is too long.' ), 200 ); - } - if ( '' == $comment_content ) { return new WP_Error( 'require_valid_comment', __( 'ERROR: please type a comment.' ), 200 ); - } elseif ( $max_lengths['comment_content'] < mb_strlen( $comment_content, '8bit' ) ) { - return new WP_Error( 'comment_content_column_length', __( 'ERROR: your comment is too long.' ), 200 ); } $commentdata = compact( @@ -3071,6 +3087,11 @@ function wp_handle_comment_submission( $comment_data ) { 'user_ID' ); + $check_max_lengths = wp_check_comment_data_max_lengths( $commentdata ); + if ( is_wp_error( $check_max_lengths ) ) { + return $check_max_lengths; + } + $comment_id = wp_new_comment( wp_slash( $commentdata ), true ); if ( is_wp_error( $comment_id ) ) { return $comment_id; diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index 3454dc1906..bfd652db4b 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -484,6 +484,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { $prepared_comment['comment_agent'] = ''; } + $check_comment_lengths = wp_check_comment_data_max_lengths( $prepared_comment ); + if ( is_wp_error( $check_comment_lengths ) ) { + $error_code = $check_comment_lengths->get_error_code(); + return new WP_Error( $error_code, __( 'Comment field exceeds maximum length allowed.' ), array( 'status' => 400 ) ); + } + $prepared_comment['comment_approved'] = wp_allow_comment( $prepared_comment, true ); if ( is_wp_error( $prepared_comment['comment_approved'] ) ) { @@ -631,6 +637,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { $prepared_args['comment_ID'] = $id; + $check_comment_lengths = wp_check_comment_data_max_lengths( $prepared_args ); + if ( is_wp_error( $check_comment_lengths ) ) { + $error_code = $check_comment_lengths->get_error_code(); + return new WP_Error( $error_code, __( 'Comment field exceeds maximum length allowed.' ), array( 'status' => 400 ) ); + } + $updated = wp_update_comment( $prepared_args ); if ( 0 === $updated ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 5bae15fa8b..33599270ef 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta1-39100'; +$wp_version = '4.7-beta1-39101'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.