WordPress.org

Make WordPress Core

Changeset 50037


Ignore:
Timestamp:
01/27/2021 11:45:29 PM (5 months ago)
Author:
whyisjake
Message:

Privacy: Ensure that exported user data reports can't be found with directory listings.

By moving from .html to .php files, we can prevent directory listings, and ensure that WordPress can load.

Fixes #52299.

Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/privacy-tools.php

    r49970 r50037  
    323323
    324324    // Protect export folder from browsing.
    325     $index_pathname = $exports_dir . 'index.html';
     325    $index_pathname = $exports_dir . 'index.php';
    326326    if ( ! file_exists( $index_pathname ) ) {
    327327        $file = fopen( $index_pathname, 'w' );
     
    329329            wp_send_json_error( __( 'Unable to protect personal data export folder from browsing.' ) );
    330330        }
    331         fwrite( $file, '<!-- Silence is golden. -->' );
     331        fwrite( $file, '<?php // Silence is golden.' );
    332332        fclose( $file );
    333333    }
  • trunk/src/wp-includes/functions.php

    r49992 r50037  
    73997399
    74007400    require_once ABSPATH . 'wp-admin/includes/file.php';
    7401     $export_files = list_files( $exports_dir, 100, array( 'index.html' ) );
     7401    $export_files = list_files( $exports_dir, 100, array( 'index.php' ) );
    74027402
    74037403    /**
  • trunk/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php

    r49603 r50037  
    5656        }
    5757
    58         self::$index_path          = $exports_dir . 'index.html';
     58        self::$index_path          = $exports_dir . 'index.php';
    5959        self::$expired_export_file = $exports_dir . 'wp-personal-data-file-0123456789abcdef.zip';
    6060        self::$active_export_file  = $exports_dir . 'wp-personal-data-file-fedcba9876543210.zip';
  • trunk/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php

    r49971 r50037  
    215215
    216216    /**
    217      * Test that an index.html file can be added to the export directory.
     217     * Test that an index.php file can be added to the export directory.
    218218     *
    219219     * @ticket 44233
     
    223223        wp_privacy_generate_personal_data_export_file( self::$export_request_id );
    224224
    225         $this->assertTrue( file_exists( self::$exports_dir . 'index.html' ) );
     225        $this->assertTrue( file_exists( self::$exports_dir . 'index.php' ) );
    226226    }
    227227
Note: See TracChangeset for help on using the changeset viewer.