Closed
Bug 652560
Opened 13 years ago
Closed 11 years ago
Hacks.m.o comment form pre-filled for (same) wrong user
Categories
(Developer Engagement :: Mozilla Hacks, task, P1)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 571535
People
(Reporter: jswisher, Unassigned)
References
Details
(Whiteboard: [specification-like][type:bug])
See comments on this post: http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london
|
Reporter | |
Comment 1•13 years ago
|
||
I can't reproduce this, but those who have seen it, please add any info you can.
|
||
Comment 2•13 years ago
|
||
I wrote a first comment [1] for which the comment form was empty. I registered to the follow-up e-mail. The first e-mail I have received was about this reply [2] even though it happened after other replies (maybe an unrelated bug). I noticed this comment [3] (which shouldn't be attributed to Mathias either btw) and noticed that for me too, the form was pre-filled with Mathias infos. I've fixed the infos and commented again [4]. Now pre-filled infos are mine. [1] http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london/comment-page-1/#comment-498409 [2] http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london/comment-page-1/#comment-498432 [3] http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london/comment-page-1/#comment-498452 [4] http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london/comment-page-1/#comment-498453
|
|
||
Comment 3•13 years ago
|
||
I don't know what you'll think of this idea, but you probably should shut comments down in order to avoid more of this: http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london/comment-page-1/#comment-498499
|
|
Reporter | |
Comment 4•13 years ago
|
||
I put all comments on moderation until we figure this out. BTW, do you see this problem on other articles?
|
|
||
Comment 5•13 years ago
|
||
No, now, I cannot see the problem neither in the article or any other.
|
|
||
Comment 6•13 years ago
|
||
I have just been able to post a comment. Are you sure you disabled?
|
|
Reporter | |
Comment 7•13 years ago
|
||
Your second comment was posted, but your first one was held. Hmm.
|
||
Comment 8•13 years ago
|
||
I suspect this is some kind of caching issue with WordPress. I didn’t even notice until people started asking me about the insulting first comment on the linked article, which appeared to be posted by me (although I honestly had nothing to do with it). I had left comments on MozHacks before, so to make sure it wasn’t just because of my local cookies, I opened a new browser window in Private Browsing mode. The comment form was still prefilled with my personal data, including my email address. A cookie-less curl request had the same result. At least three other people on IRC saw the same result. Mike Taylor posted a comment with a screenshot: http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london/comment-page-1/#comment-498452 As a side effect, I see all these comments awaiting moderation that weren’t really posted by me: http://i.imgur.com/VAEu0.png P.S. You’re lucky this happened to me and not someone else who actually cares about keeping his email address private. :) It sucks to see people post rude comments in my name, though.
|
|
||
Comment 9•13 years ago
|
||
There’s probably some sort of HTML caching going on. The problem is that the form is pre-filled with user info on the server-side (PHP), based on the user’s cookies. My guess is that when I requested the page, my cookies were used to pre-fill the form, and then the resulting HTML was cached and served to other people as well. A cool fix would be to just use `localStorage` instead of cookies to store and retrieve user data. It’s either that, or tweak how the caching system works.
|
||
Comment 10•13 years ago
|
||
(In reply to comment #8) > > At least three other people on IRC saw the same result. Mike Taylor posted a > comment with a screenshot: > http://hacks.mozilla.org/2011/04/fun-with-new-technologies-at-the-firefox-4-launch-party-in-london/comment-page-1/#comment-498452 > The crazy thing is that I never posted that screen shot so even *that* comment was part of the cache oddness :/
|
|
||
Comment 11•13 years ago
|
||
(In reply to comment #10) > The crazy thing is that I never posted that screen shot so even *that* comment > was part of the cache oddness :/ The plot thickens! Looks like both Mozilla and Opera have a Mike Taylor working for them. :)
|
||
Comment 12•13 years ago
|
||
Heh, yeah. I was the one who took the screen shot.
|
|
Reporter | |
Comment 14•13 years ago
|
||
This article may be helpful: http://www.satollo.net/wordpress-and-caching-plugins " If the cache system caches a page generated by WordPress with the comment form pre-filled, the user data will be shown to everyone! Cache plugins usually have a filter to detect is the surfer is a commenter (if he has some specific cookies) and if so do not serve the cached content but a fresh page every time. You can identify such filter if you have a caching plugin that integrates with Apache modifying the .htaccess file. The rule to detect commenter looks like: RewriteCond %{HTTP_COOKIE} !^.*(comment_author_|wordpress|wp-postpass_).*$ Hyper Cache (and may be other caches) can be configured in a different way: to force WordPress to ignore the commenter data or better to ignore commentators at all and avoid WordPress to pre-fill the comment form, letting the cache to always work. That make the user’s experience on the blog worse, but can save an upgrade of the server. There is a third solution, as implemented by Lite Cache, a my cache plugin exercise, which solves the commentators problem. "
|
|
||
Comment 15•13 years ago
|
||
I think the people who were affected by this bug (whose email address was exposed) deserve a free Mozilla t-shirt. :)
|
||
Comment 16•12 years ago
|
||
dherman saw this on brendaneich.com. Hope the fix applies to every WP install we support. /be
|
Assignee | |
Updated•11 years ago
|
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
|
||
Comment 18•11 years ago
|
||
Copying my comment from bug 673175... I cannot reproduce anymore. I can see my own contact information in the form when I visit the page a second time, but not the contact information of another user. The strange thing here is that Stephanie is even /seeing/ a comment that is in moderation. Normal users cannot do this. Maybe she was logged in? But after testing with jswisher, it appears that even logged-in users cannot see the contact information of other commenters today. Marking as WORKSFORME. Please reopen if I am mistaken.
Group: websites-security
Priority: -- → P1
Whiteboard: [specification-like][type:bug]
|
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 19•11 years ago
|
||
Nope, still happening. In fact, we have an older bug for this.
Resolution: WORKSFORME → DUPLICATE
|
||
Comment 20•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
|
||
Updated•7 years ago
|
Product: Mozilla Developer Network → Developer Engagement
You need to log in
before you can comment on or make changes to this bug.
Description
•