Canonical: Prevent ID enumeration of private post slugs.
Add check to `redirect_canonical()` to ensure private posts only redirect for logged in users. Modifies the `read_post` mata capability to user `get_post_status()` rather than the post's `post_status` property to allow attachments to redirect based on the inherited post status. Introduces `wp_force_ugly_post_permalink()` to unify the check to determine if an ugly link should be displayed in each of the functions used for determining permalinks: `get_permalink()`, `get_post_permalink()`, `_get_page_link()` and `get_attachment_link()`. Improves logic of `get_attachment_link()` to validate parent post and resolution of inherited post status. This is an incomplete fix of #52373 to prevent the function returning links resulting in a file not found error. Required to unblock this ticket. Props peterwilsoncc, TimothyBlynJacobs. See #52373. Fixes #5272. Built from https://develop.svn.wordpress.org/trunk@50132 git-svn-id: http://core.svn.wordpress.org/trunk@49811 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
dbfbf5501a
commit
faa29f5716
|
@ -77,6 +77,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
|
|
||||||
$redirect = $original;
|
$redirect = $original;
|
||||||
$redirect_url = false;
|
$redirect_url = false;
|
||||||
|
$redirect_obj = false;
|
||||||
|
|
||||||
// Notice fixing.
|
// Notice fixing.
|
||||||
if ( ! isset( $redirect['path'] ) ) {
|
if ( ! isset( $redirect['path'] ) ) {
|
||||||
|
@ -102,6 +103,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
|
|
||||||
if ( is_feed() && $post_id ) {
|
if ( is_feed() && $post_id ) {
|
||||||
$redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) );
|
$redirect_url = get_post_comments_feed_link( $post_id, get_query_var( 'feed' ) );
|
||||||
|
$redirect_obj = get_post( $post_id );
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = _remove_qs_args_if_not_in_url(
|
$redirect['query'] = _remove_qs_args_if_not_in_url(
|
||||||
|
@ -126,6 +128,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
}
|
}
|
||||||
|
|
||||||
$redirect_url = get_permalink( $post_id );
|
$redirect_url = get_permalink( $post_id );
|
||||||
|
$redirect_obj = get_post( $post_id );
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = _remove_qs_args_if_not_in_url(
|
$redirect['query'] = _remove_qs_args_if_not_in_url(
|
||||||
|
@ -150,6 +153,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
|
|
||||||
if ( $post_type_obj && $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) {
|
if ( $post_type_obj && $post_type_obj->public && 'auto-draft' !== $redirect_post->post_status ) {
|
||||||
$redirect_url = get_permalink( $redirect_post );
|
$redirect_url = get_permalink( $redirect_post );
|
||||||
|
$redirect_obj = get_post( $redirect_post );
|
||||||
|
|
||||||
$redirect['query'] = _remove_qs_args_if_not_in_url(
|
$redirect['query'] = _remove_qs_args_if_not_in_url(
|
||||||
$redirect['query'],
|
$redirect['query'],
|
||||||
|
@ -197,6 +201,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
|
|
||||||
if ( $post_id ) {
|
if ( $post_id ) {
|
||||||
$redirect_url = get_permalink( $post_id );
|
$redirect_url = get_permalink( $post_id );
|
||||||
|
$redirect_obj = get_post( $post_id );
|
||||||
|
|
||||||
$redirect['path'] = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' );
|
$redirect['path'] = rtrim( $redirect['path'], (int) get_query_var( 'page' ) . '/' );
|
||||||
$redirect['query'] = remove_query_arg( 'page', $redirect['query'] );
|
$redirect['query'] = remove_query_arg( 'page', $redirect['query'] );
|
||||||
|
@ -223,27 +228,32 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
) {
|
) {
|
||||||
if ( ! empty( $_GET['attachment_id'] ) ) {
|
if ( ! empty( $_GET['attachment_id'] ) ) {
|
||||||
$redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) );
|
$redirect_url = get_attachment_link( get_query_var( 'attachment_id' ) );
|
||||||
|
$redirect_obj = get_post( get_query_var( 'attachment_id' ) );
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = remove_query_arg( 'attachment_id', $redirect['query'] );
|
$redirect['query'] = remove_query_arg( 'attachment_id', $redirect['query'] );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$redirect_url = get_attachment_link();
|
$redirect_url = get_attachment_link();
|
||||||
|
$redirect_obj = get_post();
|
||||||
}
|
}
|
||||||
} elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) {
|
} elseif ( is_single() && ! empty( $_GET['p'] ) && ! $redirect_url ) {
|
||||||
$redirect_url = get_permalink( get_query_var( 'p' ) );
|
$redirect_url = get_permalink( get_query_var( 'p' ) );
|
||||||
|
$redirect_obj = get_post( get_query_var( 'p' ) );
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = remove_query_arg( array( 'p', 'post_type' ), $redirect['query'] );
|
$redirect['query'] = remove_query_arg( array( 'p', 'post_type' ), $redirect['query'] );
|
||||||
}
|
}
|
||||||
} elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) {
|
} elseif ( is_single() && ! empty( $_GET['name'] ) && ! $redirect_url ) {
|
||||||
$redirect_url = get_permalink( $wp_query->get_queried_object_id() );
|
$redirect_url = get_permalink( $wp_query->get_queried_object_id() );
|
||||||
|
$redirect_obj = get_post( $wp_query->get_queried_object_id() );
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = remove_query_arg( 'name', $redirect['query'] );
|
$redirect['query'] = remove_query_arg( 'name', $redirect['query'] );
|
||||||
}
|
}
|
||||||
} elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) {
|
} elseif ( is_page() && ! empty( $_GET['page_id'] ) && ! $redirect_url ) {
|
||||||
$redirect_url = get_permalink( get_query_var( 'page_id' ) );
|
$redirect_url = get_permalink( get_query_var( 'page_id' ) );
|
||||||
|
$redirect_obj = get_post( get_query_var( 'page_id' ) );
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
|
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
|
||||||
|
@ -256,6 +266,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
&& 'page' === get_option( 'show_on_front' ) && get_query_var( 'page_id' ) === (int) get_option( 'page_for_posts' )
|
&& 'page' === get_option( 'show_on_front' ) && get_query_var( 'page_id' ) === (int) get_option( 'page_for_posts' )
|
||||||
) {
|
) {
|
||||||
$redirect_url = get_permalink( get_option( 'page_for_posts' ) );
|
$redirect_url = get_permalink( get_option( 'page_for_posts' ) );
|
||||||
|
$redirect_obj = get_post( get_option( 'page_for_posts' ) );
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
|
$redirect['query'] = remove_query_arg( 'page_id', $redirect['query'] );
|
||||||
|
@ -310,6 +321,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
&& $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) )
|
&& $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE $wpdb->posts.post_author = %d AND $wpdb->posts.post_status = 'publish' LIMIT 1", $author->ID ) )
|
||||||
) {
|
) {
|
||||||
$redirect_url = get_author_posts_url( $author->ID, $author->user_nicename );
|
$redirect_url = get_author_posts_url( $author->ID, $author->user_nicename );
|
||||||
|
$redirect_obj = $author;
|
||||||
|
|
||||||
if ( $redirect_url ) {
|
if ( $redirect_url ) {
|
||||||
$redirect['query'] = remove_query_arg( 'author', $redirect['query'] );
|
$redirect['query'] = remove_query_arg( 'author', $redirect['query'] );
|
||||||
|
@ -385,6 +397,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
|| ! has_term( $category->term_id, 'category', $wp_query->get_queried_object_id() )
|
|| ! has_term( $category->term_id, 'category', $wp_query->get_queried_object_id() )
|
||||||
) {
|
) {
|
||||||
$redirect_url = get_permalink( $wp_query->get_queried_object_id() );
|
$redirect_url = get_permalink( $wp_query->get_queried_object_id() );
|
||||||
|
$redirect_obj = get_post( $wp_query->get_queried_object_id() );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -395,6 +408,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
|
|
||||||
if ( ! $redirect_url ) {
|
if ( ! $redirect_url ) {
|
||||||
$redirect_url = get_permalink( get_queried_object_id() );
|
$redirect_url = get_permalink( get_queried_object_id() );
|
||||||
|
$redirect_obj = get_post( get_queried_object_id() );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $page > 1 ) {
|
if ( $page > 1 ) {
|
||||||
|
@ -740,6 +754,28 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) {
|
||||||
$requested_url = preg_replace_callback( '|%[a-fA-F0-9][a-fA-F0-9]|', 'lowercase_octets', $requested_url );
|
$requested_url = preg_replace_callback( '|%[a-fA-F0-9][a-fA-F0-9]|', 'lowercase_octets', $requested_url );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $redirect_obj instanceof WP_Post ) {
|
||||||
|
$post_status_obj = get_post_status_object( get_post_status( $redirect_obj ) );
|
||||||
|
/*
|
||||||
|
* Unset the redirect object and URL if they are not readable by the user.
|
||||||
|
* This condition is a little confusing as the condition needs to pass if
|
||||||
|
* the post is not readable by the user. That's why there are ! (not) conditions
|
||||||
|
* throughout.
|
||||||
|
*/
|
||||||
|
if (
|
||||||
|
// Private post statuses only redirect if the user can read them.
|
||||||
|
! (
|
||||||
|
$post_status_obj->private &&
|
||||||
|
current_user_can( 'read_post', $redirect_obj->ID )
|
||||||
|
) &&
|
||||||
|
// For other posts, only redirect if publicly viewable.
|
||||||
|
! is_post_publicly_viewable( $redirect_obj )
|
||||||
|
) {
|
||||||
|
$redirect_obj = false;
|
||||||
|
$redirect_url = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Filters the canonical redirect URL.
|
* Filters the canonical redirect URL.
|
||||||
*
|
*
|
||||||
|
|
|
@ -245,10 +245,10 @@ function map_meta_cap( $cap, $user_id, ...$args ) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
$status_obj = get_post_status_object( $post->post_status );
|
$status_obj = get_post_status_object( get_post_status( $post ) );
|
||||||
if ( ! $status_obj ) {
|
if ( ! $status_obj ) {
|
||||||
/* translators: 1: Post status, 2: Capability name. */
|
/* translators: 1: Post status, 2: Capability name. */
|
||||||
_doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), $post->post_status, $cap ), '5.4.0' );
|
_doing_it_wrong( __FUNCTION__, sprintf( __( 'The post status %1$s is not registered, so it may not be reliable to check the capability "%2$s" against a post with that status.' ), get_post_status( $post ), $cap ), '5.4.0' );
|
||||||
$caps[] = 'edit_others_posts';
|
$caps[] = 'edit_others_posts';
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -89,6 +89,58 @@ function permalink_anchor( $mode = 'id' ) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine whether post should always use an ugly permalink structure.
|
||||||
|
*
|
||||||
|
* @since 5.7.0
|
||||||
|
*
|
||||||
|
* @param WP_Post|int|null $post Optional. Post ID or post object. Defaults to global $post.
|
||||||
|
* @param bool|null $sample Optional. Whether to force consideration based on sample links.
|
||||||
|
* If omitted, a sample link is generated if a post object is passed
|
||||||
|
* with the filter property set to 'sample'.
|
||||||
|
* @return bool Whether to use an ugly permalink structure.
|
||||||
|
*/
|
||||||
|
function wp_force_ugly_post_permalink( $post = null, $sample = null ) {
|
||||||
|
if (
|
||||||
|
null === $sample &&
|
||||||
|
is_object( $post ) &&
|
||||||
|
isset( $post->filter ) &&
|
||||||
|
'sample' === $post->filter
|
||||||
|
) {
|
||||||
|
$sample = true;
|
||||||
|
} else {
|
||||||
|
$post = get_post( $post );
|
||||||
|
$sample = null !== $sample ? $sample : false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! $post ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
$post_status_obj = get_post_status_object( get_post_status( $post ) );
|
||||||
|
$post_type_obj = get_post_type_object( get_post_type( $post ) );
|
||||||
|
|
||||||
|
if ( ! $post_status_obj || ! $post_type_obj ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (
|
||||||
|
// Publicly viewable links never have ugly permalinks.
|
||||||
|
is_post_status_viewable( $post_status_obj ) ||
|
||||||
|
(
|
||||||
|
// Private posts don't have ugly links if the user can read them.
|
||||||
|
$post_status_obj->private &&
|
||||||
|
current_user_can( 'read_post', $post->ID )
|
||||||
|
) ||
|
||||||
|
// Protected posts don't have ugly links if getting a sample URL.
|
||||||
|
( $post_status_obj->protected && $sample )
|
||||||
|
) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retrieves the full permalink for the current post or post ID.
|
* Retrieves the full permalink for the current post or post ID.
|
||||||
*
|
*
|
||||||
|
@ -166,7 +218,7 @@ function get_permalink( $post = 0, $leavename = false ) {
|
||||||
|
|
||||||
if (
|
if (
|
||||||
$permalink &&
|
$permalink &&
|
||||||
! in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft', 'future', 'trash' ), true )
|
! wp_force_ugly_post_permalink( $post )
|
||||||
) {
|
) {
|
||||||
|
|
||||||
$category = '';
|
$category = '';
|
||||||
|
@ -277,7 +329,7 @@ function get_post_permalink( $id = 0, $leavename = false, $sample = false ) {
|
||||||
|
|
||||||
$slug = $post->post_name;
|
$slug = $post->post_name;
|
||||||
|
|
||||||
$draft_or_pending = get_post_status( $post ) && in_array( get_post_status( $post ), array( 'draft', 'pending', 'auto-draft', 'future' ), true );
|
$force_ugly_link = wp_force_ugly_post_permalink( $post );
|
||||||
|
|
||||||
$post_type = get_post_type_object( $post->post_type );
|
$post_type = get_post_type_object( $post->post_type );
|
||||||
|
|
||||||
|
@ -285,13 +337,13 @@ function get_post_permalink( $id = 0, $leavename = false, $sample = false ) {
|
||||||
$slug = get_page_uri( $post );
|
$slug = get_page_uri( $post );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! empty( $post_link ) && ( ! $draft_or_pending || $sample ) ) {
|
if ( ! empty( $post_link ) && ( ! $force_ugly_link || $sample ) ) {
|
||||||
if ( ! $leavename ) {
|
if ( ! $leavename ) {
|
||||||
$post_link = str_replace( "%$post->post_type%", $slug, $post_link );
|
$post_link = str_replace( "%$post->post_type%", $slug, $post_link );
|
||||||
}
|
}
|
||||||
$post_link = home_url( user_trailingslashit( $post_link ) );
|
$post_link = home_url( user_trailingslashit( $post_link ) );
|
||||||
} else {
|
} else {
|
||||||
if ( $post_type->query_var && ( isset( $post->post_status ) && ! $draft_or_pending ) ) {
|
if ( $post_type->query_var && ( isset( $post->post_status ) && ! $force_ugly_link ) ) {
|
||||||
$post_link = add_query_arg( $post_type->query_var, $slug, '' );
|
$post_link = add_query_arg( $post_type->query_var, $slug, '' );
|
||||||
} else {
|
} else {
|
||||||
$post_link = add_query_arg(
|
$post_link = add_query_arg(
|
||||||
|
@ -373,11 +425,11 @@ function _get_page_link( $post = false, $leavename = false, $sample = false ) {
|
||||||
|
|
||||||
$post = get_post( $post );
|
$post = get_post( $post );
|
||||||
|
|
||||||
$draft_or_pending = in_array( $post->post_status, array( 'draft', 'pending', 'auto-draft' ), true );
|
$force_ugly_link = wp_force_ugly_post_permalink( $post );
|
||||||
|
|
||||||
$link = $wp_rewrite->get_page_permastruct();
|
$link = $wp_rewrite->get_page_permastruct();
|
||||||
|
|
||||||
if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $draft_or_pending ) || $sample ) ) {
|
if ( ! empty( $link ) && ( ( isset( $post->post_status ) && ! $force_ugly_link ) || $sample ) ) {
|
||||||
if ( ! $leavename ) {
|
if ( ! $leavename ) {
|
||||||
$link = str_replace( '%pagename%', get_page_uri( $post ), $link );
|
$link = str_replace( '%pagename%', get_page_uri( $post ), $link );
|
||||||
}
|
}
|
||||||
|
@ -417,13 +469,26 @@ function get_attachment_link( $post = null, $leavename = false ) {
|
||||||
|
|
||||||
$link = false;
|
$link = false;
|
||||||
|
|
||||||
$post = get_post( $post );
|
$post = get_post( $post );
|
||||||
$parent = ( $post->post_parent > 0 && $post->post_parent != $post->ID ) ? get_post( $post->post_parent ) : false;
|
$force_ugly_link = wp_force_ugly_post_permalink( $post );
|
||||||
if ( $parent && ! in_array( $parent->post_type, get_post_types(), true ) ) {
|
$parent_id = $post->post_parent;
|
||||||
$parent = false;
|
$parent = $parent_id ? get_post( $parent_id ) : false;
|
||||||
|
$parent_valid = true; // Default for no parent.
|
||||||
|
if (
|
||||||
|
$parent_id &&
|
||||||
|
(
|
||||||
|
$post->post_parent === $post->ID ||
|
||||||
|
! $parent ||
|
||||||
|
! is_post_type_viewable( get_post_type( $parent ) )
|
||||||
|
)
|
||||||
|
) {
|
||||||
|
// Post is either its own parent or parent post unavailable.
|
||||||
|
$parent_valid = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $wp_rewrite->using_permalinks() && $parent ) {
|
if ( $force_ugly_link || ! $parent_valid ) {
|
||||||
|
$link = false;
|
||||||
|
} elseif ( $wp_rewrite->using_permalinks() && $parent ) {
|
||||||
if ( 'page' === $parent->post_type ) {
|
if ( 'page' === $parent->post_type ) {
|
||||||
$parentlink = _get_page_link( $post->post_parent ); // Ignores page_on_front.
|
$parentlink = _get_page_link( $post->post_parent ); // Ignores page_on_front.
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '5.7-alpha-50131';
|
$wp_version = '5.7-alpha-50132';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue