[wp-trac] [WordPress Trac] #9559: Site search results can include passworded posts

WordPress Trac wp-trac at lists.automattic.com
Fri Apr 17 07:28:47 GMT 2009 

#9559: Site search results can include passworded posts
--------------------------+-------------------------------------------------
 Reporter:  coffee2code   |       Owner:  anonymous
     Type:  defect (bug)  |      Status:  new      
 Priority:  normal        |   Milestone:  2.8      
Component:  General       |     Version:  2.7.1    
 Severity:  normal        |    Keywords:  has-patch
--------------------------+-------------------------------------------------
 By default, WordPress's built-in search feature searches the contents of
 passworded posts.  If the content of a passworded post
 matches the search criteria, WordPress will include that post in the
 listing of search results.  While it is true that the
 post contents will not be displayed to the visitor (unless they know and
 have entered the password for the post), the fact that
 the otherwise protected post appeared in the search results allows for the
 visitor to search-bomb your site in an effort to deduce
 some of the content of the password-protected post.

 Of course, external search (as done from Google) would never include the
 passworded post contents since that content is not available to external
 search engines.

 I have released a [http://coffee2code.com/wp-plugins/omit-passworded-
 posts-from-search/ plugin] that addresses the issue and prevents
 passworded posts from being included in search results, but this may be
 something we may want to consider for core.

 The attached patch prevents passworded posts from being included in search
 results on the front-end of the site (i.e. by visitors).  It does not add
 the constraint on searches performed within the admin.

 The drawback, of course, is that a visitor couldn't legitimately perform a
 search and find a passworded post that they may have the password for.
 Hence a privacy vs. usability issue, and I vote that privacy prevails.
 (I've seen the search-bomb happen, so it's a real concern.)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/9559>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list