Make WordPress Core

Opened 13 years ago

Last modified 5 days ago

#5272 reviewing defect (bug)

WordPress allows anonymous user to see slug for private post by guessing post number

Reported by: tzafrir Owned by: SergeyBiryukov
Milestone: 5.6 Priority: normal
Severity: normal Version: 2.3.1
Component: Security Keywords: has-patch needs-testing
Focuses: Cc:


I have pretty permalinks enabled, and I set a post as private.

Entering http://blog.url/?p=(postid) will redirect the user, any user, to http://blog.url/perma/link/, and only then give him a 404 error.

Depending on permalink structure, this shows the private post's title to anyone who figures out its post number.

Attachments (1)

5272.patch (1.1 KB) - added by pishmishy 13 years ago.
Basic fix for this issue

Download all attachments as: .zip

Change History (15)

#1 @tzafrir
13 years ago

Oh, and on decent hours I even know how to spell WordPress :(

#2 @Viper007Bond
13 years ago

  • Keywords needs-patch added
  • Summary changed from Wodpress allows anonymous user to see slug for private post by guessing post number to WordPress allows anonymous user to see slug for private post by guessing post number

Luckily, you can fix it. :)

#3 @pishmishy
13 years ago

  • Owner changed from anonymous to pishmishy
  • Status changed from new to assigned

Confirming that the bug exists in trunk. Worth fixing as the slug may have been automatically derived from post data that the user didn't want to disclose.

13 years ago

Basic fix for this issue

#4 @pishmishy
13 years ago

  • Keywords has-patch canonical redirection private added; needs-patch removed

Fix is to add an additional condition to be satisfied before canonical redirection can take place.

Not entirely happy with my patch but it does fix the problem. Someone more familiar with query.php can probably come up with an is_private() function. is_empty works just as well though.

#5 @pishmishy
12 years ago

Tempted to close this one too. I think it's important to disclose as little information as possible but the fix has been on offer and there doesn't appear to be much demand for it.

#6 @tzafrir
12 years ago

Too bad - I can't see how this is not a major privacy issue.

If we ever want to see WordPress used as a CMS for a major corporation, we can't have their secret keynote surprise open for the world to see.

#7 @Denis-de-Bernardy
11 years ago

  • Keywords needs-patch added; has-patch canonical redirection private removed

The patch is invalid. There is some reprocessing of 404 code further down, that ends up not getting processed. Imo, what WP should do here is return a 403 error.

#8 @Denis-de-Bernardy
11 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

there's a dup of this one somewhere, and it shoud get wontfixed too.

#9 @peterwilsoncc
6 months ago

  • Component changed from General to Security
  • Keywords needs-unit-tests added
  • Milestone set to Future Release
  • Resolution wontfix deleted
  • Severity changed from major to normal
  • Status changed from closed to reopened

Reopening following discussion with @whyisjake.

This ticket was mentioned in PR #433 on WordPress/wordpress-develop by donmhico.

9 days ago

  • Keywords has-patch added; needs-patch removed

Prevent canonical redirect for private post.

Trac ticket: https://core.trac.wordpress.org/ticket/5272


  1. Unit test.
  2. Allow the redirect if user is logged and has permission to read the post.

#11 @donmhico
9 days ago

Added a patch above however it still need some work. Will try to update the PR soon.

#12 @donmhico
5 days ago

  • Keywords needs-testing added; needs-unit-tests removed

Updated the PR with unit tests. Need more people to test :)

#13 @SergeyBiryukov
5 days ago

  • Milestone changed from Future Release to 5.6
  • Owner changed from pishmishy to SergeyBiryukov
  • Status changed from reopened to reviewing

#14 @TimothyBlynJacobs
5 days ago

Should this be looking at get_post_status_object()->private?

Note: See TracTickets for help on using tickets.