[wp-trac] [WordPress Trac] #59795: Private Information Exposure via redirect_guess_404_permalink()

WordPress Trac noreply at wordpress.org
Tue Jan 16 01:27:45 UTC 2024 

#59795: Private Information Exposure via redirect_guess_404_permalink()
--------------------------------------+----------------------------
 Reporter:  FrancescoCarlucci         |       Owner:  peterwilsoncc
     Type:  defect (bug)              |      Status:  assigned
 Priority:  normal                    |   Milestone:  6.5
Component:  Canonical                 |     Version:
 Severity:  minor                     |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:  privacy
--------------------------------------+----------------------------

Comment (by peterwilsoncc):

 I've revised my original patch in the [https://github.com/WordPress
 /wordpress-develop/pull/5867 linked pull request]

 * Redirects are limited to publicly queryable and searchable post types
 * Unlike my original patch the post type `WHERE` clause is modified in the
 `get_query_var( 'post_type' )` block to avoid SQL errors
 * Added a unit test for a post type registered with
 `['public'=>true,'publicly_queryable'=>false]`

 Testing notes:

 1. Add
 [https://gist.github.com/peterwilsoncc/16df069cd23d95be6e2ca5a6a0ee99ee
 this mini-plugin] to `wp-content/mu-plugins`
 1. Go to the WordPress Dashboard > Private Posts > Add new Post
 1. Publish a post with the title "59795 Private Post"
 1. In a private/incognito browser window, visit `http://localhost/59795`
 (replacing `localhost` as appropriate for your test environment)
 1. On this branch you should see a 404 error, on trunk you should be
 redirected to `http://localhost/pwcc_private_post/59795-private-post/`

 @FrancescoCarlucci If you have bandwidth, are you able to assist by
 testing the pull request? A copy of WordPress built from the PR can be
 found by visiting the [https://github.com/WordPress/wordpress-
 develop/pull/5867/checks PR's checks tab], clicking on "Test Build
 Processes" in the navigation and downloading the `wordpress-build-???`
 artifact.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/59795#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list