WordPress allows anonymous user to see slug for private post by guessing post number

[tzafrir]

I have pretty permalinks enabled, and I set a post as private.

Entering ​http://blog.url/?p=(postid) will redirect the user, any user, to ​http://blog.url/perma/link/, and only then give him a 404 error.

Depending on permalink structure, this shows the private post's title to anyone who figures out its post number.

[tzafrir]

Oh, and on decent hours I even know how to spell WordPress :(

[Viper007Bond]

Luckily, you can fix it. :)

[pishmishy]

Confirming that the bug exists in trunk. Worth fixing as the slug may have been automatically derived from post data that the user didn't want to disclose.

[pishmishy]

Basic fix for this issue

[pishmishy]

Fix is to add an additional condition to be satisfied before canonical redirection can take place.

Not entirely happy with my patch but it does fix the problem. Someone more familiar with query.php can probably come up with an is_private() function. is_empty works just as well though.

[pishmishy]

Tempted to close this one too. I think it's important to disclose as little information as possible but the fix has been on offer and there doesn't appear to be much demand for it.

[tzafrir]

Too bad - I can't see how this is not a major privacy issue.

If we ever want to see WordPress used as a CMS for a major corporation, we can't have their secret keynote surprise open for the world to see.

[Denis-de-Bernardy]

The patch is invalid. There is some reprocessing of 404 code further down, that ends up not getting processed. Imo, what WP should do here is return a 403 error.

[Denis-de-Bernardy]

there's a dup of this one somewhere, and it shoud get wontfixed too.

[peterwilsoncc]

Reopening following discussion with @whyisjake.

Prevent canonical redirect for private post.

Trac ticket: https://core.trac.wordpress.org/ticket/5272

TODO:

1. Unit test.
2. Allow the redirect if user is logged and has permission to read the post.

[donmhico]

Added a patch above however it still need some work. Will try to update the PR soon.

[donmhico]

Updated the PR with unit tests. Need more people to test :)

[TimothyBlynJacobs]

Should this be looking at get_post_status_object()->private?

Trac ticket: https://core.trac.wordpress.org/ticket/5272

[prbot]

​peterwilsoncc commented on ​PR #433:

@donmhico

In parallel, I'd written some code elsewhere that I have added as PR #479 .

The code we'd written is similar so I'd make sure you get props.

There are few places in your patch that redirects are determined that had been missed, so I've expanded upon that to catch other places.

For the unit tests I expanded them to include both positive and negative use cases for all types of users, including the original author, you'll find them in the other PR.

If you think I have missed anything, please add comments.

Peter

[peterwilsoncc]

As the friendly bot points out, I've pushed a PR to ​https://github.com/WordPress/wordpress-develop/pull/479

@TimothyBlynJacobs I've included a check for get_post_status_object( $redirect_obj->post_status )->public, do you think I should logic check for private or internal too?

@SergeyBiryukov I included some tests for comment feed requests but was getting some unexpected results with ?name=slug&feed=rss2 style requests that I think are unrelated to this ticket. Do you know if they work?

[TimothyBlynJacobs]

Replying to peterwilsoncc:

@TimothyBlynJacobs I've included a check for get_post_status_object( $redirect_obj->post_status )->public, do you think I should logic check for private or internal too?

I really don't know. I don't think it's valid for more than one of public, protected or private to be set to true. But since the function doesn't enforce that perhaps some developers have accidentally done that?

I guess the publicly_queryable post status arg might also be the thing to check? At a first glance, I can't find it being used anywhere in Core though.

[whyisjake]

In conversation with @dd32:

I’d personally lean towards get_post_status_object( $status )->public as the filterable way, but private isn’t a public post status.

[peterwilsoncc]

In 49563:

Canonical: Prevent ID enumeration of private post slugs.

Add check to redirect_canonical() to ensure the destination post is not using a private post status.

Props dd32, Denis-de-Bernardy, donmhico, helen, nacin, peterwilsoncc, pishmishy, TimothyBlynJacobs, tzafrir, Viper007Bond, whyisjake.
Fixes #5272.

https://core.trac.wordpress.org/ticket/5272

Starting with some unit tests -- they fail.

[peterwilsoncc]

In 49622:

Permalinks: Prevent attachment pages 404ing following [49563].

This largely reverts [49563] due to attachment pages returning 404: File not found errors when they use the inherit status.

Permalink changes to attachment pages are retained when they are descendants of trashed or deleted posts.

Props Toro_Unit, helen, johnbillion, peterwilsoncc.
Fixes #51776.
See #5272.

https://core.trac.wordpress.org/ticket/5272 but better this time.

[peterwilsoncc]

Moving this on to the 5.7 milestone for another attempt. At time of writing tests are failing but hope to get it down soon.