[wp-trac] [WordPress Trac] #5272: WordPress allows anonymous user to see slug for private post by guessing post number
WordPress Trac
noreply at wordpress.org
Thu Nov 12 04:14:58 UTC 2020
#5272: WordPress allows anonymous user to see slug for private post by guessing
post number
-------------------------------------------------+-------------------------
Reporter: tzafrir | Owner:
| SergeyBiryukov
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 5.6
Component: Security | Version: 2.3.1
Severity: normal | Resolution: fixed
Keywords: has-patch needs-testing has-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Changes (by peterwilsoncc):
* status: reviewing => closed
* resolution: => fixed
Comment:
In [changeset:"49563" 49563]:
{{{
#!CommitTicketReference repository="" revision="49563"
Canonical: Prevent ID enumeration of private post slugs.
Add check to `redirect_canonical()` to ensure the destination post is not
using a private post status.
Props dd32, Denis-de-Bernardy, donmhico, helen, nacin, peterwilsoncc,
pishmishy, TimothyBlynJacobs, tzafrir, Viper007Bond, whyisjake.
Fixes #5272.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/5272#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list