From 4863a926efbf210f0773b190d06765a5c731dfc3 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Wed, 29 Jan 2025 18:10:47 +0000
Subject: [PATCH] Posts, Post Types: Add no-cache headers to password protected
 posts.

This instructs an intermediate cache, for example a proxy server, to not cache a password protected post both before and after a visitor has entered a password.

Props brevilo, haozi, ironprogrammer, narenin

Fixes #61711

git-svn-id: https://develop.svn.wordpress.org/trunk@59728 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-wp.php           |  5 +++
 tests/phpunit/tests/wp/sendHeaders.php | 43 ++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/src/wp-includes/class-wp.php b/src/wp-includes/class-wp.php
index ce88c102cf..f2b114e708 100644
--- a/src/wp-includes/class-wp.php
+++ b/src/wp-includes/class-wp.php
@@ -545,6 +545,11 @@ class WP {
 			if ( $post && pings_open( $post ) ) {
 				$headers['X-Pingback'] = get_bloginfo( 'pingback_url', 'display' );
 			}
+
+			// Send nocache headers for password protected posts to avoid unwanted caching.
+			if ( ! empty( $post->post_password ) ) {
+				$headers = array_merge( $headers, wp_get_nocache_headers() );
+			}
 		}
 
 		/**
diff --git a/tests/phpunit/tests/wp/sendHeaders.php b/tests/phpunit/tests/wp/sendHeaders.php
index b5fc56bf20..4974d74caf 100644
--- a/tests/phpunit/tests/wp/sendHeaders.php
+++ b/tests/phpunit/tests/wp/sendHeaders.php
@@ -6,6 +6,7 @@
  * @covers WP::send_headers
  */
 class Tests_WP_SendHeaders extends WP_UnitTestCase {
+	protected $headers_sent = array();
 
 	/**
 	 * @ticket 56068
@@ -35,4 +36,46 @@ class Tests_WP_SendHeaders extends WP_UnitTestCase {
 		$post_id = self::factory()->post->create();
 		$this->go_to( get_permalink( $post_id ) );
 	}
+
+	/**
+	 * @ticket 61711
+	 */
+	public function test_send_headers_sets_cache_control_header_for_password_protected_posts() {
+		$password = 'password';
+
+		add_filter(
+			'wp_headers',
+			function ( $headers ) {
+				$this->headers_sent = $headers;
+				return $headers;
+			}
+		);
+
+		$post_id = self::factory()->post->create(
+			array(
+				'post_password' => $password,
+			)
+		);
+		$this->go_to( get_permalink( $post_id ) );
+
+		$headers_without_password         = $this->headers_sent;
+		$password_status_without_password = post_password_required( $post_id );
+
+		require_once ABSPATH . WPINC . '/class-phpass.php';
+
+		$hash = ( new PasswordHash( 8, true ) )->HashPassword( $password );
+
+		$_COOKIE[ 'wp-postpass_' . COOKIEHASH ] = $hash;
+
+		$this->go_to( get_permalink( $post_id ) );
+
+		$headers_with_password         = $this->headers_sent;
+		$password_status_with_password = post_password_required( $post_id );
+
+		$this->assertTrue( $password_status_without_password );
+		$this->assertArrayHasKey( 'Cache-Control', $headers_without_password );
+
+		$this->assertFalse( $password_status_with_password );
+		$this->assertArrayHasKey( 'Cache-Control', $headers_with_password );
+	}
 }