#30910 closed defect (bug) (fixed)
future post permalink can be revealed when blog article requested by url like ...?p={post_id}
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.2 | Priority: | normal |
Severity: | normal | Version: | 4.2 |
Component: | Posts, Post Types | Keywords: | has-patch |
Focuses: | Cc: |
Description
If your permalink is composed of article's title, it can be easily revealed by brute force on post id, giving a clue to the content of your future post.
Error 404 is rendered in this case but location is being changed from ?p=NNNN, to the permalink of future post, which is completely undesirable sometimes.
There is work around this with filter on 'redirect_canonical', but I think this should be the part of core.
Attachments (4)
Change History (19)
#1
@
10 years ago
- Component changed from Canonical to Posts, Post Types
- Keywords has-patch added
- Milestone changed from Awaiting Review to 4.2
#3
in reply to:
↑ 2
;
follow-up:
↓ 4
@
10 years ago
Replying to SergeyBiryukov:
I do not believe - but I would be happy to be corrected - that the patch supplied will solve the problem.
I was able to recreate the problem, but not yet in a unit test. I can recreate it with wget. I believe the problem lies not in get_post_permalink() but in get_permalink().
Again, I could be wrong. I'm posting to get an opinion before I attempt to solve the wrong problem. :)
Cheers1
=C=
#4
in reply to:
↑ 3
@
10 years ago
I did some additional tests. So, get_permalink() works for native post type and get_post_permalink() works for custom post type. So both functions should be patched.
Replying to CalEvans:
Replying to SergeyBiryukov:
I do not believe - but I would be happy to be corrected - that the patch supplied will solve the problem.
I was able to recreate the problem, but not yet in a unit test. I can recreate it with wget. I believe the problem lies not in get_post_permalink() but in get_permalink().
Again, I could be wrong. I'm posting to get an opinion before I attempt to solve the wrong problem. :)
Cheers1
=C=
#6
@
10 years ago
- Keywords needs-unit-tests removed
2 new assertions added, one for each condition.
Cheers1
=C=
#7
@
10 years ago
- Owner set to boonebgorges
- Resolution set to fixed
- Status changed from new to closed
In 31114:
#8
@
10 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Looks like [31114] inadvertently introduced a regression in terms of how the sample permalink markup is displayed in edit-form-advanced. I actually noticed that while posting on the make/core P2, the sample permalink was no longer visible or editable for scheduled posts in trunk:
Turns out, we missed adding the 'future' post status to the exception list in get_sample_permalink()
. This is covered in 30910.diff.
Without adding 'future' to the exception list, when get_permalink()
is called with the $leavename
parameter set to true, the permalink fragment that gets passed through doesn't have the %postname%
or %pagename%
tag included, which ultimately results in it failing checks for a sample permalink in the UI. Interesting bug to track down.
#9
@
10 years ago
Thanks for digging this up, DrewAPicture. I've verified the issue and managed to write a unit test to demonstrate the bug and your fix (it was not straightforward to do).
#11
follow-up:
↓ 12
@
10 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
This fix creates a disruption in the workflow of authors who use the 'View Post' button on drafts to also get a copy of the full pretty permalink, for use in social media tools and other planning.
Copying that permalink from the edit screen is frequently sub-optimal.
Ideally, the 'View Post' button would still take you to the pretty permalink, but the numeric ?p=123 url would not redirect to the pretty version until the post is published publicly. Is that possible?
#12
in reply to:
↑ 11
@
10 years ago
Replying to kevkoeh:
Ideally, the 'View Post' button would still take you to the pretty permalink, but the numeric ?p=123 url would not redirect to the pretty version until the post is published publicly. Is that possible?
Ah, I hadn't thought about that. Yes: we should be able to use the pretty permalink for the href of the 'View Post' button. That URL will properly route to the scheduled post for users who have the capability to read it.
suggested patch