id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 7545,gears-manifest.php shouldn't be public accessible.,g30rg3x,,"Since version 2.6, WordPress has included support for Gears.[[BR]] As stated by the [http://code.google.com/apis/gears/api_localserver.html LocalServer API], Gears needs a [http://code.google.com/apis/gears/api_localserver.html#manifest_file Manifest file] that lists all of the URLs to be captured by a ManagedResourceStore and also it contains the version of the contents of the manifest.[[BR]] [[BR]] But this file instead of being accessible just for ""logged-in"" users (the ones that actually will take advantage of gears) is being public available, so anyone can enumerate the WordPress version (and style version) as well the list of all URLs to be captured by gears with easiness...[[BR]] Examples:[[BR]] http://ma.tt/blog/wp-admin/gears-manifest.php [[BR]] http://boren.nu/weblog/wp-admin/gears-manifest.php [[BR]] http://markjaquith.wordpress.com/wp-admin/gears-manifest.php [[BR]] [[BR]] I know ([http://trac.wordpress.org/ticket/4155 from previous attempts to promote hiding the version number]), that you don't see this problem as an issue/defect or even enhancement, this doesn't bother me at all, since we can still hide the version using a dynamic modification to the $wp_version that can came from a little plugin, however since gears-manifest.php it actually just load the necessary files, it makes my solution (and many others out there) totally useless, so the only way we have its to go and make a direct modification over the gears-manifest.php file.[[BR]] [[BR]] So please reconsider your position about this type of issues and at least provide some way to work around this problem.[[BR]] [[BR]] PS: Pardon me for all the grammar issues, m not a truly English writer.",defect (bug),closed,lowest,,Administration,2.7,trivial,wontfix,,,