Opened 18 years ago
Closed 16 years ago
#3317 closed defect (bug) (duplicate)
Protected posts should not be found in searches
Reported by: | dosa | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.5.1 |
Component: | Security | Keywords: | needs-patch |
Focuses: | Cc: |
Description
By listing password protected posts in search results nosey users can fish for the post content - eg trying their own name if they think the post might be about them.
Change History (14)
#4
@
17 years ago
- Component changed from General to Security
- Resolution worksforme deleted
- Status changed from closed to reopened
- Version changed from 2.1 to 2.5.1
I could reproduce this on version 2.5.1. Details here: http://wordpress.org/support/topic/180743
#5
@
17 years ago
Tested on trunk:
- Created New post, Set a password, Gave it tags & categories, Added a unique word to the content
- Upon searching for the term:
- The Post appears in the listing, however:
- It requests a password to view the contents
- It does display the title: "Protected: My Secret Post" and the date
- It doesnt show me any details of the post
- The Post appears in the listing, however:
- While i was at it, checked how it appeared in the RSS feed, Same as above, not content leaked.
I believe the issue at question here, is that when you logout, The password cookie is not cleared, So If someone has added a password, and then typed it in, Then they will continue to see the posts' real content until a point where the password cookie is cleared.
So its a bit confusing for users who think their Private/Protected page is available for viewing by all.
#6
@
16 years ago
The protected content does not show up, but - like dosa stated - you can "fish" for it.
simplified szenario:
- You write an article titled "people we do not like"
- You include the Name "Sue" in your article and protect it with a password
- Sue visits your blog and searches for her name
- While she is at it, she starts to search for all kind of other names..
#9
follow-up:
↓ 10
@
16 years ago
I've looked at this issue. Just wanted some feedback.
My solution would be to change the query to exclude all password protected posts, except those that are 'unlocked' with a valid password. I think this would require a change of the queries around line 1755 in query.php.
I suppose one would left join against a list of password unlocked posts/pages.
Just tossing with the idea here. I didn't actually tried to implement this because I'm not that knowledgeable with wordpress core code.
#10
in reply to:
↑ 9
@
16 years ago
- Cc dragos.nicholas@… added
- Keywords needs-patch added
Replying to netsensei:
I've looked at this issue. Just wanted some feedback.
My solution would be to change the query to exclude all password protected posts, except those that are 'unlocked' with a valid password. I think this would require a change of the queries around line 1755 in query.php.
I suppose one would left join against a list of password unlocked posts/pages.
Just tossing with the idea here. I didn't actually tried to implement this because I'm not that knowledgeable with wordpress core code.
I agree with you. Someone please write a patch for the above idea.
Could not duplicate on trunk. I couldn't get private posts to show up in search results for non-logged-in users or logged-in users who didn't write the private post.