passing $_SERVER variables potentially exposes too much private information

[delgurth]

With the recent concerns about privacy regarding the new update feature,  another problem was exposed in the discussion about it. I didn't see this problem addressed in here, so I'll take the liberty to do that.

Only HTTP_COOKIE is excluded when the $_SERVER string is send (this is done for ticket #314). If someone uses basic HTTP authentication, the authentication data is send to Akismet, including the plaintext password.

Ryan Finnie created  a patch to address this problem and send it to the mailing list.

[delgurth]

The patch for akismet.php created by Ryan Finnie

[delgurth]

True, having both Akismet and HTTP authentication is a bit strange (don't you trust the people who can authenticate?) but still it's better to prevent such data from being send in the case someone has enabled both.

[matt]

I think has already been addressed in the plugin.

[delgurth]

Was just checking up on this "bug". Unfortunately the PHP_AUTH_USER and PHP_AUTH_PW are still send, if they are available.

At least they are in  rev 41034 of akismet.php

So IMHO it's not addressed, yet.

[tellyworth]

Suggested change: add PHP_AUTH_PW and HTTP_COOKIE2 to the $ignored array, but change the conditional block so that ignored items are included in $comment as a key with an empty value (rather than omitting them entirely).

[tellyworth]

Fixed in [268640]