Canonical: Prevent ID enumeration of private post slugs.

Add check to `redirect_canonical()` to ensure the destination post is not using a private post status.

Props dd32, Denis-de-Bernardy, donmhico, helen, nacin, peterwilsoncc, pishmishy, TimothyBlynJacobs, tzafrir, Viper007Bond, whyisjake.
Fixes #5272.


Built from https://develop.svn.wordpress.org/trunk@49563


git-svn-id: http://core.svn.wordpress.org/trunk@49301 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson 2020-11-12 04:16:08 +00:00
parent 3a1265e188
commit 5da8c0fceb
3 changed files with 52 additions and 1 deletions

View File

@ -77,6 +77,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
$redirect = $original; $redirect = $original;
$redirect_url = false; $redirect_url = false;
$redirect_obj = false;
// Notice fixing. // Notice fixing.
if ( ! isset( $redirect['path'] ) ) { if ( ! isset( $redirect['path'] ) ) {
@ -102,6 +103,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( is_feed() && $post_id ) { if ( is_feed() && $post_id ) {
$redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) ); $redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) );
$redirect_obj = get_post( $post_id );
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = _remove_qs_args_if_not_in_url( $redirect['query'] = _remove_qs_args_if_not_in_url(
@ -126,6 +128,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
} }
$redirect_url = get_permalink( $post_id ); $redirect_url = get_permalink( $post_id );
$redirect_obj = get_post( $post_id );
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = _remove_qs_args_if_not_in_url( $redirect['query'] = _remove_qs_args_if_not_in_url(
@ -150,6 +153,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) { if ( $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) {
$redirect_url = get_permalink( $redirect_post ); $redirect_url = get_permalink( $redirect_post );
$redirect_obj = get_post( $redirect_post );
$redirect['query'] = _remove_qs_args_if_not_in_url( $redirect['query'] = _remove_qs_args_if_not_in_url(
$redirect['query'], $redirect['query'],
@ -197,6 +201,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( $post_id ) { if ( $post_id ) {
$redirect_url = get_permalink( $post_id ); $redirect_url = get_permalink( $post_id );
$redirect_obj = get_post( $post_id );
$redirect['path'] = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' ); $redirect['path'] = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' );
$redirect['query'] = remove_query_arg( 'page', $redirect['query'] ); $redirect['query'] = remove_query_arg( 'page', $redirect['query'] );
@ -223,27 +228,32 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
) { ) {
if ( ! empty( $_GET['attachment_id'] ) ) { if ( ! empty( $_GET['attachment_id'] ) ) {
$redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) ); $redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) );
$redirect_obj = get_post( get_query_var( 'attachment_id' ) );
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'attachment_id', $redirect['query'] ); $redirect['query'] = remove_query_arg( 'attachment_id', $redirect['query'] );
} }
} else { } else {
$redirect_url = get_attachment_link(); $redirect_url = get_attachment_link();
$redirect_obj = get_post();
} }
} elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) { } elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) {
$redirect_url = get_permalink( get_query_var( 'p' ) ); $redirect_url = get_permalink( get_query_var( 'p' ) );
$redirect_obj = get_post( get_query_var( 'p' ) );
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( array( 'p', 'post_type' ), $redirect['query'] ); $redirect['query'] = remove_query_arg( array( 'p', 'post_type' ), $redirect['query'] );
} }
} elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) { } elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) {
$redirect_url = get_permalink( $wp_query->get_queried_object_id() ); $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
$redirect_obj = get_post( $wp_query->get_queried_object_id() );
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'name', $redirect['query'] ); $redirect['query'] = remove_query_arg( 'name', $redirect['query'] );
} }
} elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) { } elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) {
$redirect_url = get_permalink( get_query_var( 'page_id' ) ); $redirect_url = get_permalink( get_query_var( 'page_id' ) );
$redirect_obj = get_post( get_query_var( 'page_id' ) );
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] ); $redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
@ -256,6 +266,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
&& 'page' === get_option( 'show_on_front' ) && get_query_var( 'page_id' ) === (int) get_option( 'page_for_posts' ) && 'page' === get_option( 'show_on_front' ) && get_query_var( 'page_id' ) === (int) get_option( 'page_for_posts' )
) { ) {
$redirect_url = get_permalink( get_option( 'page_for_posts' ) ); $redirect_url = get_permalink( get_option( 'page_for_posts' ) );
$redirect_obj = get_post( get_option( 'page_for_posts' ) );
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] ); $redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
@ -310,6 +321,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
&& $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) ) && $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) )
) { ) {
$redirect_url = get_author_posts_url( $author->ID, $author->user_nicename ); $redirect_url = get_author_posts_url( $author->ID, $author->user_nicename );
$redirect_obj = $author;
if ( $redirect_url ) { if ( $redirect_url ) {
$redirect['query'] = remove_query_arg( 'author', $redirect['query'] ); $redirect['query'] = remove_query_arg( 'author', $redirect['query'] );
@ -385,6 +397,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|| ! has_term( $category->term_id, 'category', $wp_query->get_queried_object_id() ) || ! has_term( $category->term_id, 'category', $wp_query->get_queried_object_id() )
) { ) {
$redirect_url = get_permalink( $wp_query->get_queried_object_id() ); $redirect_url = get_permalink( $wp_query->get_queried_object_id() );
$redirect_obj = get_post( $wp_query->get_queried_object_id() );
} }
} }
} }
@ -395,6 +408,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
if ( ! $redirect_url ) { if ( ! $redirect_url ) {
$redirect_url = get_permalink( get_queried_object_id() ); $redirect_url = get_permalink( get_queried_object_id() );
$redirect_obj = get_post( get_queried_object_id() );
} }
if ( $page > 1 ) { if ( $page > 1 ) {
@ -740,6 +754,32 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
$requested_url = preg_replace_callback( '|%[a-fA-F0-9][a-fA-F0-9]|', 'lowercase_octets', $requested_url ); $requested_url = preg_replace_callback( '|%[a-fA-F0-9][a-fA-F0-9]|', 'lowercase_octets', $requested_url );
} }
if (
$redirect_obj &&
is_a( $redirect_obj, 'WP_Post' )
) {
$post_status_obj = get_post_status_object( get_post_status( $redirect_obj ) );
if (
// Unviewable post types are never redirected.
! is_post_type_viewable( $redirect_obj->post_type ) ||
// Internal or protected posts never redirect.
$post_status_obj->internal ||
$post_status_obj->protected ||
(
// Don't redirect a non-public post...
! $post_status_obj->public &&
(
// ...unless it's private and the logged in user has access.
$post_status_obj->private &&
! current_user_can( 'read_post', $redirect_obj->ID )
)
)
) {
$redirect_obj = false;
$redirect_url = false;
}
}
/** /**
* Filters the canonical redirect URL. * Filters the canonical redirect URL.
* *

View File

@ -420,6 +420,17 @@ function get_attachment_link( $post = null, $leavename = false ) {
$parent = false; $parent = false;
} }
if ( $parent ) {
$parent_status_obj = get_post_status_object( get_post_status( $post->post_parent ) );
if (
! is_post_type_viewable( get_post_type( $post->post_parent ) ) ||
$parent_status_obj->internal ||
$parent_status_obj->protected
) {
$parent = false;
}
}
if ( $wp_rewrite->using_permalinks() && $parent ) { if ( $wp_rewrite->using_permalinks() && $parent ) {
if ( 'page' === $parent->post_type ) { if ( 'page' === $parent->post_type ) {
$parentlink = _get_page_link( $post->post_parent ); // Ignores page_on_front. $parentlink = _get_page_link( $post->post_parent ); // Ignores page_on_front.

View File

@ -13,7 +13,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.6-beta3-49562'; $wp_version = '5.6-beta3-49563';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.