Make WordPress Core

Changeset 49563


Ignore:
Timestamp:
11/12/2020 04:14:44 AM (4 years ago)
Author:
peterwilsoncc
Message:

Canonical: Prevent ID enumeration of private post slugs.

Add check to redirect_canonical() to ensure the destination post is not using a private post status.

Props dd32, Denis-de-Bernardy, donmhico, helen, nacin, peterwilsoncc, pishmishy, TimothyBlynJacobs, tzafrir, Viper007Bond, whyisjake.
Fixes #5272.

Location:
trunk
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/canonical.php

    r49200 r49563  
    7878    $redirect     = $original;
    7979    $redirect_url = false;
     80    $redirect_obj = false;
    8081
    8182    // Notice fixing.
     
    103104    if ( is_feed() && $post_id ) {
    104105        $redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) );
     106        $redirect_obj = get_post( $post_id );
    105107
    106108        if ( $redirect_url ) {
     
    127129
    128130            $redirect_url = get_permalink( $post_id );
     131            $redirect_obj = get_post( $post_id );
    129132
    130133            if ( $redirect_url ) {
     
    151154            if ( $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) {
    152155                $redirect_url = get_permalink( $redirect_post );
     156                $redirect_obj = get_post( $redirect_post );
    153157
    154158                $redirect['query'] = _remove_qs_args_if_not_in_url(
     
    198202            if ( $post_id ) {
    199203                $redirect_url = get_permalink( $post_id );
     204                $redirect_obj = get_post( $post_id );
    200205
    201206                $redirect['path']  = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' );
     
    224229            if ( ! empty( $_GET['attachment_id'] ) ) {
    225230                $redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) );
     231                $redirect_obj = get_post( get_query_var( 'attachment_id' ) );
    226232
    227233                if ( $redirect_url ) {
     
    230236            } else {
    231237                $redirect_url = get_attachment_link();
     238                $redirect_obj = get_post();
    232239            }
    233240        } elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) {
    234241            $redirect_url = get_permalink( get_query_var( 'p' ) );
     242            $redirect_obj = get_post( get_query_var( 'p' ) );
    235243
    236244            if ( $redirect_url ) {
     
    239247        } elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) {
    240248            $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
     249            $redirect_obj = get_post( $wp_query->get_queried_object_id() );
    241250
    242251            if ( $redirect_url ) {
     
    245254        } elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) {
    246255            $redirect_url = get_permalink( get_query_var( 'page_id' ) );
     256            $redirect_obj = get_post( get_query_var( 'page_id' ) );
    247257
    248258            if ( $redirect_url ) {
     
    257267        ) {
    258268            $redirect_url = get_permalink( get_option( 'page_for_posts' ) );
     269            $redirect_obj = get_post( get_option( 'page_for_posts' ) );
    259270
    260271            if ( $redirect_url ) {
     
    311322            ) {
    312323                $redirect_url = get_author_posts_url( $author->ID, $author->user_nicename );
     324                $redirect_obj = $author;
    313325
    314326                if ( $redirect_url ) {
     
    386398                ) {
    387399                    $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
     400                    $redirect_obj = get_post( $wp_query->get_queried_object_id() );
    388401                }
    389402            }
     
    396409            if ( ! $redirect_url ) {
    397410                $redirect_url = get_permalink( get_queried_object_id() );
     411                $redirect_obj = get_post( get_queried_object_id() );
    398412            }
    399413
     
    741755    }
    742756
     757    if (
     758        $redirect_obj &&
     759        is_a( $redirect_obj, 'WP_Post' )
     760    ) {
     761        $post_status_obj = get_post_status_object( get_post_status( $redirect_obj ) );
     762        if (
     763            // Unviewable post types are never redirected.
     764            ! is_post_type_viewable( $redirect_obj->post_type ) ||
     765            // Internal or protected posts never redirect.
     766            $post_status_obj->internal ||
     767            $post_status_obj->protected ||
     768            (
     769                // Don't redirect a non-public post...
     770                ! $post_status_obj->public &&
     771                (
     772                    // ...unless it's private and the logged in user has access.
     773                    $post_status_obj->private &&
     774                    ! current_user_can( 'read_post', $redirect_obj->ID )
     775                )
     776            )
     777        ) {
     778            $redirect_obj = false;
     779            $redirect_url = false;
     780        }
     781    }
     782
    743783    /**
    744784     * Filters the canonical redirect URL.
  • trunk/src/wp-includes/link-template.php

    r49222 r49563  
    419419    if ( $parent && ! in_array( $parent->post_type, get_post_types(), true ) ) {
    420420        $parent = false;
     421    }
     422
     423    if ( $parent ) {
     424        $parent_status_obj = get_post_status_object( get_post_status( $post->post_parent ) );
     425        if (
     426            ! is_post_type_viewable( get_post_type( $post->post_parent ) ) ||
     427            $parent_status_obj->internal ||
     428            $parent_status_obj->protected
     429        ) {
     430            $parent = false;
     431        }
    421432    }
    422433
Note: See TracChangeset for help on using the changeset viewer.