WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
02/02/2021 12:38:40 AM (5 years ago)
Author:
peterwilsoncc
Message:

Canonical: Prevent ID enumeration of private post slugs.

Add check to redirect_canonical() to ensure private posts only redirect for logged in users.

Modifies the read_post mata capability to user get_post_status() rather than the post's post_status property to allow attachments to redirect based on the inherited post status.

Introduces wp_force_ugly_post_permalink() to unify the check to determine if an ugly link should be displayed in each of the functions used for determining permalinks: get_permalink(), get_post_permalink(), _get_page_link() and get_attachment_link().

Improves logic of get_attachment_link() to validate parent post and resolution of inherited post status. This is an incomplete fix of #52373 to prevent the function returning links resulting in a file not found error. Required to unblock this ticket.

Props peterwilsoncc, TimothyBlynJacobs.
See #52373.
Fixes #5272.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/canonical.php

    r49924 r50132  
    7878    $redirect     = $original;
    7979    $redirect_url = false;
     80    $redirect_obj = false;
    8081
    8182    // Notice fixing.
     
    103104    if ( is_feed() && $post_id ) {
    104105        $redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) );
     106        $redirect_obj = get_post( $post_id );
    105107
    106108        if ( $redirect_url ) {
     
    127129
    128130            $redirect_url = get_permalink( $post_id );
     131            $redirect_obj = get_post( $post_id );
    129132
    130133            if ( $redirect_url ) {
     
    151154            if ( $post_type_obj && $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) {
    152155                $redirect_url = get_permalink( $redirect_post );
     156                $redirect_obj = get_post( $redirect_post );
    153157
    154158                $redirect['query'] = _remove_qs_args_if_not_in_url(
     
    198202            if ( $post_id ) {
    199203                $redirect_url = get_permalink( $post_id );
     204                $redirect_obj = get_post( $post_id );
    200205
    201206                $redirect['path']  = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' );
     
    224229            if ( ! empty( $_GET['attachment_id'] ) ) {
    225230                $redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) );
     231                $redirect_obj = get_post( get_query_var( 'attachment_id' ) );
    226232
    227233                if ( $redirect_url ) {
     
    230236            } else {
    231237                $redirect_url = get_attachment_link();
     238                $redirect_obj = get_post();
    232239            }
    233240        } elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) {
    234241            $redirect_url = get_permalink( get_query_var( 'p' ) );
     242            $redirect_obj = get_post( get_query_var( 'p' ) );
    235243
    236244            if ( $redirect_url ) {
     
    239247        } elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) {
    240248            $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
     249            $redirect_obj = get_post( $wp_query->get_queried_object_id() );
    241250
    242251            if ( $redirect_url ) {
     
    245254        } elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) {
    246255            $redirect_url = get_permalink( get_query_var( 'page_id' ) );
     256            $redirect_obj = get_post( get_query_var( 'page_id' ) );
    247257
    248258            if ( $redirect_url ) {
     
    257267        ) {
    258268            $redirect_url = get_permalink( get_option( 'page_for_posts' ) );
     269            $redirect_obj = get_post( get_option( 'page_for_posts' ) );
    259270
    260271            if ( $redirect_url ) {
     
    311322            ) {
    312323                $redirect_url = get_author_posts_url( $author->ID, $author->user_nicename );
     324                $redirect_obj = $author;
    313325
    314326                if ( $redirect_url ) {
     
    386398                ) {
    387399                    $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
     400                    $redirect_obj = get_post( $wp_query->get_queried_object_id() );
    388401                }
    389402            }
     
    396409            if ( ! $redirect_url ) {
    397410                $redirect_url = get_permalink( get_queried_object_id() );
     411                $redirect_obj = get_post( get_queried_object_id() );
    398412            }
    399413
     
    741755    }
    742756
     757    if ( $redirect_obj instanceof WP_Post ) {
     758        $post_status_obj = get_post_status_object( get_post_status( $redirect_obj ) );
     759        /*
     760         * Unset the redirect object and URL if they are not readable by the user.
     761         * This condition is a little confusing as the condition needs to pass if
     762         * the post is not readable by the user. That's why there are ! (not) conditions
     763         * throughout.
     764         */
     765        if (
     766            // Private post statuses only redirect if the user can read them.
     767            ! (
     768                $post_status_obj->private &&
     769                current_user_can( 'read_post', $redirect_obj->ID )
     770            ) &&
     771            // For other posts, only redirect if publicly viewable.
     772            ! is_post_publicly_viewable( $redirect_obj )
     773        ) {
     774            $redirect_obj = false;
     775            $redirect_url = false;
     776        }
     777    }
     778
    743779    /**
    744780     * Filters the canonical redirect URL.
Note: See TracChangeset for help on using the changeset viewer.