Changeset 50132 for trunk/src/wp-includes/link-template.php

Timestamp:

02/02/2021 12:38:40 AM (5 years ago)

Author:

peterwilsoncc

Message:

Canonical: Prevent ID enumeration of private post slugs.

Add check to redirect_canonical() to ensure private posts only redirect for logged in users.

Modifies the read_post mata capability to user get_post_status() rather than the post's post_status property to allow attachments to redirect based on the inherited post status.

Introduces wp_force_ugly_post_permalink() to unify the check to determine if an ugly link should be displayed in each of the functions used for determining permalinks: get_permalink(), get_post_permalink(), _get_page_link() and get_attachment_link().

Improves logic of get_attachment_link() to validate parent post and resolution of inherited post status. This is an incomplete fix of #52373 to prevent the function returning links resulting in a file not found error. Required to unblock this ticket.

Props peterwilsoncc, TimothyBlynJacobs.
See #52373.
Fixes #5272.

File:

• trunk/src/wp-includes/link-template.php (modified) (7 diffs)

trunk/src/wp-includes/link-template.php

@@ -88 +88 @@
             break;
     }
+}
+
+/**
+ * Determine whether post should always use an ugly permalink structure.
+ *
+ * @since 5.7.0
+ *
+ * @param WP_Post|int|null $post   Optional. Post ID or post object. Defaults to global $post.
+ * @param bool|null        $sample Optional. Whether to force consideration based on sample links.
+ *                                 If omitted, a sample link is generated if a post object is passed
+ *                                 with the filter property set to 'sample'.
+ * @return bool Whether to use an ugly permalink structure.
+ */
+function wp_force_ugly_post_permalink( $post = null, $sample = null ) {
+    if (
+        null === $sample &&
+        is_object( $post ) &&
+        isset( $post->filter ) &&
+        'sample' === $post->filter
+    ) {
+        $sample = true;
+    } else {
+        $post   = get_post( $post );
+        $sample = null !== $sample ? $sample : false;
+    }
+
+    if ( ! $post ) {
+        return true;
+    }
+
+    $post_status_obj = get_post_status_object( get_post_status( $post ) );
+    $post_type_obj   = get_post_type_object( get_post_type( $post ) );
+
+    if ( ! $post_status_obj || ! $post_type_obj ) {
+        return true;
+    }
+
+    if (
+        // Publicly viewable links never have ugly permalinks.
+        is_post_status_viewable( $post_status_obj ) ||
+        (
+            // Private posts don't have ugly links if the user can read them.
+            $post_status_obj->private &&
+            current_user_can( 'read_post', $post->ID )
+        ) ||
+        // Protected posts don't have ugly links if getting a sample URL.
+        ( $post_status_obj->protected && $sample )
+    ) {
+        return false;
+    }
+
+    return true;
 }
 
@@ -167 +219 @@
     if (
         $permalink &&
-        ! in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft', 'future', 'trash' ), true )
+        ! wp_force_ugly_post_permalink( $post )
     ) {
 
@@ -278 +330 @@
     $slug = $post->post_name;
 
-    $draft_or_pending = get_post_status( $post ) && in_array( get_post_status( $post ), array( 'draft', 'pending', 'auto-draft', 'future' ), true );
+    $force_ugly_link = wp_force_ugly_post_permalink( $post );
 
     $post_type = get_post_type_object( $post->post_type );
@@ -286 +338 @@
     }
 
-    if ( ! empty( $post_link ) && ( ! $draft_or_pending || $sample ) ) {
+    if ( ! empty( $post_link ) && ( ! $force_ugly_link || $sample ) ) {
         if ( ! $leavename ) {
             $post_link = str_replace( "%$post->post_type%", $slug, $post_link );
@@ -292 +344 @@
         $post_link = home_url( user_trailingslashit( $post_link ) );
     } else {
-        if ( $post_type->query_var && ( isset( $post->post_status ) && ! $draft_or_pending ) ) {
+        if ( $post_type->query_var && ( isset( $post->post_status ) && ! $force_ugly_link ) ) {
             $post_link = add_query_arg( $post_type->query_var, $slug, '' );
         } else {
@@ -374 +426 @@
     $post = get_post( $post );
 
-    $draft_or_pending = in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft' ), true );
+    $force_ugly_link = wp_force_ugly_post_permalink( $post );
 
     $link = $wp_rewrite->get_page_permastruct();
 
-    if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $draft_or_pending ) || $sample ) ) {
+    if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $force_ugly_link ) || $sample ) ) {
         if ( ! $leavename ) {
             $link = str_replace( '%pagename%', get_page_uri( $post ), $link );
@@ -418 +470 @@
     $link = false;
 
-    $post   = get_post( $post );
-    $parent = ( $post->post_parent > 0 && $post->post_parent != $post->ID ) ? get_post( $post->post_parent ) : false;
-    if ( $parent && ! in_array( $parent->post_type, get_post_types(), true ) ) {
-        $parent = false;
-    }
-
-    if ( $wp_rewrite->using_permalinks() && $parent ) {
+    $post            = get_post( $post );
+    $force_ugly_link = wp_force_ugly_post_permalink( $post );
+    $parent_id       = $post->post_parent;
+    $parent          = $parent_id ? get_post( $parent_id ) : false;
+    $parent_valid    = true; // Default for no parent.
+    if (
+        $parent_id &&
+        (
+            $post->post_parent === $post->ID ||
+            ! $parent ||
+            ! is_post_type_viewable( get_post_type( $parent ) )
+        )
+    ) {
+        // Post is either its own parent or parent post unavailable.
+        $parent_valid = false;
+    }
+
+    if ( $force_ugly_link || ! $parent_valid ) {
+        $link = false;
+    } elseif ( $wp_rewrite->using_permalinks() && $parent ) {
         if ( 'page' === $parent->post_type ) {
             $parentlink = _get_page_link( $post->post_parent ); // Ignores page_on_front.