[RFE] s9y core: Do not leak titles of non-public posts

Anthem · Post by **Anthem** » Sun Jul 20, 2008 7:51 pm

When blog entries are marked private or members only (for example with the "Hide/delete entries for non-registered users after a specific timespan"-plugin) the entry body will be hidden or replaced with a 'No entries to print'-message. However the s9y core (currently v1.3.1) will happily leak the title of a non-public entry if one visits its permalink.

In index.php the html-title is set for existing entries, for non-existing entries a 404-header gets generated. However this does not seem to be the right place to check for the public/private setting on entries.

In /include/genpage.inc.php after

Code: Select all

    switch ($serendipity['GET']['action']) {
        // User wants to read the diary
        case 'read':
            if (isset($serendipity['GET']['id'])) {
                $entry = array(serendipity_fetchEntry('id', $serendipity['GET']['id']));
                if (!is_array($entry) || count($entry) < 1) {
                    unset($serendipity['GET']['id']);
                    $entry = array(array());
                }

the following code can be inserted to stop titles from leaking, and generate a 404-header instead:

Code: Select all

else if (!is_array($entry[0])) {
  $serendipity['head_title'] = htmlspecialchars($serendipity['blogTitle']);
  $serendipity['head_subtitle'] = '';
  $serendipity['smarty']->assign('head_title', $serendipity['head_title']);
  $serendipity['smarty']->assign('head_subtitle', $serendipity['head_subtitle']);
  header('HTTP/1.0 404 Not found');
}

Note: This code has only been tested in my current setup.
genpage.inc.php may also not be the best place to do this. The _fetchentry-function in /include/functions_entries.inc.php may be a better place, but setting the 404-header there seems a bit unclean.

judebert · Post by **judebert** » Mon Jul 21, 2008 5:56 pm

Doesn't the 'genpage' hook get called? Could we use it to set the header, or to return a generic 'Members Only' page?

Post by **garvinhicking** » Tue Jul 22, 2008 10:36 am

Hi!

Thanks a lot, I believe this fix to do well. I've just committed it to SVN:

http://svn.berlios.de/viewcvs/serendipi ... 20&r2=2302

I went a slightly different IF-check that seems to do well in my installation, can you verify that?

Regards,
Garvin

Anthem · Post by **Anthem** » Tue Jul 22, 2008 3:19 pm

Hi Garvin,

that does not work for me. For non-public entries $entry has the structure

Code: Select all

Array
(
    [0] => 
)

and thus the if-block is not entered.

Post by **garvinhicking** » Tue Jul 22, 2008 3:48 pm

Hi!

Hm, strange, I somehow got a different empty result. I just committed another update with the empty array check.

Regards,
Garvin

Anthem · Post by **Anthem** » Tue Jul 22, 2008 6:04 pm

Of course I'm on 1.3.1, and you're probably on the current source. Maybe the fetchentry function changed in the meantime?