WordPress allows anonymous user to see slug for private post by guessing post number

[tzafrir]

I have pretty permalinks enabled, and I set a post as private.

Entering ​http://blog.url/?p=(postid) will redirect the user, any user, to ​http://blog.url/perma/link/, and only then give him a 404 error.

Depending on permalink structure, this shows the private post's title to anyone who figures out its post number.

[tzafrir]

Oh, and on decent hours I even know how to spell WordPress :(

[Viper007Bond]

Luckily, you can fix it. :)

[pishmishy]

Confirming that the bug exists in trunk. Worth fixing as the slug may have been automatically derived from post data that the user didn't want to disclose.

[pishmishy]

Basic fix for this issue

[pishmishy]

Fix is to add an additional condition to be satisfied before canonical redirection can take place.

Not entirely happy with my patch but it does fix the problem. Someone more familiar with query.php can probably come up with an is_private() function. is_empty works just as well though.

[pishmishy]

Tempted to close this one too. I think it's important to disclose as little information as possible but the fix has been on offer and there doesn't appear to be much demand for it.

[tzafrir]

Too bad - I can't see how this is not a major privacy issue.

If we ever want to see WordPress used as a CMS for a major corporation, we can't have their secret keynote surprise open for the world to see.

[Denis-de-Bernardy]

The patch is invalid. There is some reprocessing of 404 code further down, that ends up not getting processed. Imo, what WP should do here is return a 403 error.

[Denis-de-Bernardy]

there's a dup of this one somewhere, and it shoud get wontfixed too.