URI Restrictions ~ Make CaSe InsensitiVe #354
Comments
|
@anatomism Thanks for this report! @clavaque Do you see any problems if we make URI Restrictions caSe insensitive? |
|
I think the issue here is partly related to some changes in WP. At one time, URIs were canonicalized automatically, to always use the caSe provided by a site owner. That seems to not be the case any longer, leaving room for this to be exploited in order to gain access to protected areas. |
|
Well, normally URIs are case sensitive, but if WordPress will now ignore casing for slugs, I think that we should follow suit. It's no good that we follow the web's standard regarding that, if WP will ignore it and let anyone sidestep the restriction. I'm sure there will be no-one that wants "staff" to be restricted but leave "Staff" public. |
|
Agreed! The only problem that comes to mind, is related to query string arguments, where caSe might matter to some of the existing installations out there. I don't see that as a major issue though, and in fact it seems more user-friendly if this is not caSe sensitive in any way. |
jaswrks
changed the title
|
Next release changelog:
|
|
|
I've been using S2 member for nearly a year. I use it on a multi site network, whereby one of the installs is entirely protected by S2 member "/staff".
Under the URI restrictions, this was set to "staff/" and it worked well, protecting "www.domain.com/staff", however as discovered yesterday, the URI restriction is case sensitive and navigating to "www.domain.com/STAFF" would bypass the URI restriction and give full access to anyone. I could not find anything in the documentation about this. My (hopefully temporary) solution was to list all 32 iterations of 'staff' with mixed case. If this is usual behaviour, I suggest warning users. In the next update
Thanks
The text was updated successfully, but these errors were encountered: