Bug / URL guessing

@doffine sorry for the delay… When You say Url Guess You mean URL Autocorrect Guessing?

Anyway, It seems our plugin it’s not handle the new URL Autocorrect Guessing.

For now You can quickly solve it by disabling the Guessing feature while Your website is under construction.

Just add this to Your template function and should do the job:

function remove_redirect_guess_404_permalink( $redirect_url ) {
    if ( is_404() && !isset($_GET['p']) )
        return false;
    return $redirect_url;
}
	
add_filter( 'redirect_canonical', 'remove_redirect_guess_404_permalink' );

@manuelrocha88 thanks for coming back to us.

Since we maintain several hundrets of WordPress installations – many use your plugin – it’s not really the most practicable way to implement this snippet in all of the installations.

It would be more interesting to hear from you, if you intend to fix this bug in your plugin and when you think this could be done?

Many greetings,
-doffine

@manuelrocha88 you just release a new version. Is it that you solved the above problem in the new version so that we are not forced to roll out your code snippet into all installations?

Many greetings,
-doffine

@doffine we were expecting you to tell us if it solved or not. As You are the only person that complain we need to at least confirm it solved to some of your solutions.

@manuelrocha88 ok, we just tested it again, and it hasn’t been fixed so far.

URL Autocorrect Guessing by WordPress still rewrites the URL even if your Maintenance plugin is activated.

1. This is the case in all of our installations of your plugin: On four different servers in different data centers and in many different WordPress installations. It is not an edge case or something like that. It just seems to be the way your plugin behaves at this moment.

2. Maybe we are – as you state it above – the only ones that noted this bug so far. But this doesn’t change a thing on the fact that this is maybe even a security relevant problem. If one installs your plugin and puts his website behind your maintenance curtains he will rely on this. He will rely on your plugin completely hiding _all_ information/content from the public. Even a “little thing” like a speaking URL could reveal information to the public that should not be revealed (at least at this moment). One does not have to be very creative to imagine cases where this could have really bad consequences. So we are a little bit surprised why you don’t fix this with quite high priority.

3. It is not difficult to set up a test scenario. Just take a WordPress installation, try out a short, per se not existing link that leads to a subpage by URL Autocorrect Guessing. Then copy this short link to your clipboard. Activate your plugin. Paste the short link and see that it still gets resolved to the complete existing page URL. Voilà: Information revealed.

Many greetings,
-doffine

@doffine but did you put the code that i give to you? Because on our test environment it worked as expected. We just want to make sure that it will not break other stuff on other clients solutions. As You are the only one complaining you are the only one that can test the solution…

@manuelrocha88 ok, we just tested your code snippet and it works.

We understood you in a way that you intended to implement this fix in the plugin itself (and the snippet would just be a workaround) so that we don’t have to put this snippet everywhere.

So now as we know your snippet works: Will you put this fix into the plugin’s next release?

Greetings,
-doffine

@doffine so I already passed the confirmation to dev team and they told me that this will come with the next plugin release. This is going to happen around mid of this month.

@manuelrocha88 That sounds good. Thank you very much!

-doffine