Make WordPress Core

Opened 16 years ago

Closed 16 years ago

#7545 closed defect (bug) (wontfix)

gears-manifest.php shouldn't be public accessible.

Reported by: g30rg3x's profile g30rg3x Owned by:
Milestone: Priority: lowest
Severity: trivial Version: 2.7
Component: Administration Keywords:
Focuses: Cc:

Description

Since version 2.6, WordPress has included support for Gears.
As stated by the LocalServer API, Gears needs a Manifest file that lists all of the URLs to be captured by a ManagedResourceStore and also it contains the version of the contents of the manifest.

But this file instead of being accessible just for "logged-in" users (the ones that actually will take advantage of gears) is being public available, so anyone can enumerate the WordPress version (and style version) as well the list of all URLs to be captured by gears with easiness...
Examples:
http://ma.tt/blog/wp-admin/gears-manifest.php
http://boren.nu/weblog/wp-admin/gears-manifest.php
http://markjaquith.wordpress.com/wp-admin/gears-manifest.php

I know (from previous attempts to promote hiding the version number), that you don't see this problem as an issue/defect or even enhancement, this doesn't bother me at all, since we can still hide the version using a dynamic modification to the $wp_version that can came from a little plugin, however since gears-manifest.php it actually just load the necessary files, it makes my solution (and many others out there) totally useless, so the only way we have its to go and make a direct modification over the gears-manifest.php file.

So please reconsider your position about this type of issues and at least provide some way to work around this problem.

PS: Pardon me for all the grammar issues, m not a truly English writer.

Change History (1)

#1 @azaozz
16 years ago

  • Milestone 2.7 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Currently Gears captures only public files that are also available in the installation package (try accessing directly any file listed in the manifest). There is no private or personal information captured.

If you want to prevent public access to all of these files, best would be to set simple server authentication for both wp-admin and wp-includes directories, although that may break some functionality/plugins. Trying to just hide the WordPress version serves no purpose, as it can be guessed quite easily in many different ways by looking at the above files.

I think the replies by Otto42, pishmishy and foolswisdom to the previous ticket apply here too.

Note: See TracTickets for help on using tickets.