Opened 4 years ago
Last modified 11 months ago
#52337 new defect (bug)
Non-numeric attachment_id and p query string params result in posts page
Reported by: | timbarkerse | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Query | Keywords: | has-patch |
Focuses: | Cc: |
Description
We've had a very thorough security review done on our site and the reviewer flagged up that giving a non-numeric parameter to p or attachment_id parameters: e.g.
site.com/?p=c or
site.com/?attachment_id=c
returns the posts page of the site. I would expect the 404 page. This behaviour returns the posts page even when we don't want this page to be visible on the site i.e. when the front page is set to a static page and we show the posts in other ways.
I have tested it on a clean install of the latest version of WP with no plugins.
Change History (4)
#3
@
11 months ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
This issue didn't go anyway, I assume it should have been a 404 error and not the home page.
Right now I have a problem and are looking for a way to fix it and not to have broken pages when someone plaing with URL, it isn't good on the site that should be cool and fancy.
I wonder if we can drag it to the next milestone to get more attention.
This ticket was mentioned in PR #5516 on WordPress/wordpress-develop by @oglekler.
11 months ago
#4
- Keywords has-patch added; needs-patch removed
Trac ticket: https://core.trac.wordpress.org/ticket/52337
NB: empty attachment_id e.g.
site.com/?attachment_id=
also results in the same behaviour