Make WordPress Core

Opened 18 years ago

Closed 16 years ago

#3317 closed defect (bug) (duplicate)

Protected posts should not be found in searches

Reported by: dosa's profile dosa Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5.1
Component: Security Keywords: needs-patch
Focuses: Cc:

Description

By listing password protected posts in search results nosey users can fish for the post content - eg trying their own name if they think the post might be about them.

Change History (14)

#1 @ryan
18 years ago

  • Milestone changed from 2.0.5 to 2.1

#2 @markjaquith
18 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

Could not duplicate on trunk. I couldn't get private posts to show up in search results for non-logged-in users or logged-in users who didn't write the private post.

#3 @Nazgul
17 years ago

  • Milestone 2.1 deleted

#4 @arminbw
17 years ago

  • Component changed from General to Security
  • Resolution worksforme deleted
  • Status changed from closed to reopened
  • Version changed from 2.1 to 2.5.1

I could reproduce this on version 2.5.1. Details here: http://wordpress.org/support/topic/180743

#5 @DD32
17 years ago

Tested on trunk:

  • Created New post, Set a password, Gave it tags & categories, Added a unique word to the content
  • Upon searching for the term:
    • The Post appears in the listing, however:
      • It requests a password to view the contents
      • It does display the title: "Protected: My Secret Post" and the date
      • It doesnt show me any details of the post
  • While i was at it, checked how it appeared in the RSS feed, Same as above, not content leaked.

I believe the issue at question here, is that when you logout, The password cookie is not cleared, So If someone has added a password, and then typed it in, Then they will continue to see the posts' real content until a point where the password cookie is cleared.

So its a bit confusing for users who think their Private/Protected page is available for viewing by all.

#6 @arminbw
16 years ago

The protected content does not show up, but - like dosa stated - you can "fish" for it.

simplified szenario:

  1. You write an article titled "people we do not like"
  2. You include the Name "Sue" in your article and protect it with a password
  3. Sue visits your blog and searches for her name
  4. While she is at it, she starts to search for all kind of other names..

#7 @DD32
16 years ago

  • Milestone set to 2.7

#8 @matt
16 years ago

  • Milestone changed from 2.7 to 2.8

#9 follow-up: @netsensei
16 years ago

I've looked at this issue. Just wanted some feedback.

My solution would be to change the query to exclude all password protected posts, except those that are 'unlocked' with a valid password. I think this would require a change of the queries around line 1755 in query.php.

I suppose one would left join against a list of password unlocked posts/pages.

Just tossing with the idea here. I didn't actually tried to implement this because I'm not that knowledgeable with wordpress core code.

#10 in reply to: ↑ 9 @Nicholas91
16 years ago

  • Cc dragos.nicholas@… added
  • Keywords needs-patch added

Replying to netsensei:

I've looked at this issue. Just wanted some feedback.

My solution would be to change the query to exclude all password protected posts, except those that are 'unlocked' with a valid password. I think this would require a change of the queries around line 1755 in query.php.

I suppose one would left join against a list of password unlocked posts/pages.

Just tossing with the idea here. I didn't actually tried to implement this because I'm not that knowledgeable with wordpress core code.

I agree with you. Someone please write a patch for the above idea.

#11 @Nicholas91
16 years ago

And can we also add

<META NAME="ROBOTS" CONTENT="NOINDEX, FOLLOW">

on the password protected post?

#13 @CiaranG
16 years ago

  • Cc ciaran@… added

#14 @Denis-de-Bernardy
16 years ago

  • Milestone 2.8 deleted
  • Resolution set to duplicate
  • Status changed from reopened to closed

fixed in r11106

Note: See TracTickets for help on using tickets.