Make WordPress Core


Ignore:
Timestamp:
11/12/2020 04:14:44 AM (4 years ago)
Author:
peterwilsoncc
Message:

Canonical: Prevent ID enumeration of private post slugs.

Add check to redirect_canonical() to ensure the destination post is not using a private post status.

Props dd32, Denis-de-Bernardy, donmhico, helen, nacin, peterwilsoncc, pishmishy, TimothyBlynJacobs, tzafrir, Viper007Bond, whyisjake.
Fixes #5272.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/link-template.php

    r49222 r49563  
    419419    if ( $parent && ! in_array( $parent->post_type, get_post_types(), true ) ) {
    420420        $parent = false;
     421    }
     422
     423    if ( $parent ) {
     424        $parent_status_obj = get_post_status_object( get_post_status( $post->post_parent ) );
     425        if (
     426            ! is_post_type_viewable( get_post_type( $post->post_parent ) ) ||
     427            $parent_status_obj->internal ||
     428            $parent_status_obj->protected
     429        ) {
     430            $parent = false;
     431        }
    421432    }
    422433
Note: See TracChangeset for help on using the changeset viewer.