I have been testing comments in 1.7.1 this evening and found an issue with the…
Comment author check issue in 1.7.1
I have just updated one of my blogs to 1.7.1 to test the comment changes made in 1.7.1 so that I can work on the comment queue mod. I made a test to post a comment and found an issue with the author check. The code at line 696 in gm-comments.cgi is:
Code:
if ($IN{‘newcommentauthor’} =~ m/$a_name/i) {
This code checks is the comment author is one of the registered authors. This is to stop others from posting comments as a real author. If a real author wishes to post then he needs to use AUTHUSER_AUTHPASSWORD. I tested a comment as a comment author “Pete” which is the same GM author that posted the entry. This works fine and the post is blocked. BUT when I tried to post another comment as “Pete Finnigan” – it was also blocked. I then tried “Pete Smith” this was blocked also. The line of code above simply tests if the author name is anywhere in the comment author string. To fix the issue change line 696 to:
Code:
if ($IN{‘newcommentauthor’} =~ m/^$a_name$/i) {
This then checks for an exact match of the author against the comment author.
Good catch pete, can you see the egg on my face from across the pond? 🙂
Updated:
I remember why I did this now. Its to avoid people using whitespace to pad names, for example ‘ pete’ shouldn’t match ‘pete’. Still it seems that it is too strict. Perhaps there is a way to tighten it down slightly.
I also wanted to catch stuff like ‘coldstone sucks’ which would not be caught with the exact match.
I can see your logic and its valid but I also I think mine is as well. If I have a username “Pete” and I want to stop anyone posting as me, i cannot let loose matches stop all posts beginning with “Pete”, i.e “Pete Smith” for instance. This would stop a genuine person who might be called “Pete Smith” from commenting and using their own name.
That said I don’t know what the solution is yet, somewhere between both our points of view i guess.
The problem would be, how do you block “Pete sucks” and allow “Pete Smith” through? – I think I would still advocate exact matches on author names as the whole purpose of the check is to prevent impersonation. Maybe the solution is to use the censor list on commentor names as well? or maybe the issue would be better solved once we get the comment moderation queue running?
The moderation queue will definitely help, however, I was able to fool my friends on a WordPress site they run when I tested if WordPress had this feature. They let my comment through because they didn’t know if the other person running the site had actually made the post, but then again, with the mod queue, they could see the email address used.
I could make the author check be something like ‘off’, ‘on – strict’, and ‘on – loose’. The commenter’s name does get run through the censor list. Even for strict though, I imagine that whitespace would be ignored so that ‘ pete’ will trigger a block.
I think the regex would be:
Code:
if ($IN{‘newcommentauthor’} =~ m/^\w*?$a_name\w*?$/i) {
That way people would have a choice about how strict the name is.
