Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Fixed private blogging leaking post information #8999

Merged
merged 2 commits into from
Sep 11, 2017
Merged

🐛 Fixed private blogging leaking post information #8999

merged 2 commits into from
Sep 11, 2017

Conversation

kirrg001
Copy link
Contributor

closes #8990

  • a condition in the private blogging app redirected rss && sitemap to 404, which can possibly leak content
  • remove this condition and ensure we always redirect to /private
  • robots.txt can stay, as it doesn't expose any post data

@ErisDS
Please see.
Why was this logic added in the first place? I was unable to find any reason.

@kirrg001
🐛 Fixed private blogging leaking post information
c2696cd 
closes TryGhost#8990

- a condition in the private blogging app redirected rss && sitemap to 404, which can possibly leak content
- remove this condition and ensure we always redirect to /private
@ErisDS
Copy link
Member

ErisDS commented Sep 11, 2017
edited

@kirrg001 as per #8990 (comment), I agree that this logic can be changed to require the cookie instead of 404 and that that is a better approach.

Ideally, I think we should be looking to disable the whole sitemap feature for private blogs, so we don't end up doing all of the work that goes with it. However that is an optimisation, not high priority.

RSS feeds are slightly different - we need to provide a different, better way for people to access RSS feeds when the blog is in "private" mode, or when a blog requires memberships. E.g. the RSS feed lives on an unguessable route.

@kirrg001
Copy link
Contributor Author

Ideally, I think we should be looking to disable the whole sitemap feature for private blogs, so we don't end up doing all of the work that goes with it. However that is an optimisation, not high priority.

Yeah, because it's only used for SEO optimisation. But agree, future improvement.

RSS feeds are slightly different - we need to provide a different, better way for people to access RSS feeds when the blog is in "private" mode, or when a blog requires memberships. E.g. the RSS feed lives on an unguessable route.

We've rendered a 404 page before, so i guess this is a future improvement as well? As soon as we have clear use cases (e.g. blogs which are private, but have memberships, the members should be able to access rss or if a blog has memberships, you are not able to make your blog private or ....), we can improve this.

@ErisDS ErisDS merged commit add9e54 into TryGhost:master Sep 11, 2017
@ErisDS ErisDS mentioned this pull request Sep 12, 2017
Closed
6 tasks
@ErisDS ErisDS removed their assignment Jun 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

404 error page leaks blog post information in private blog
2 participants
@kirrg001 @ErisDS