Changeset 50037 for trunk/src/wp-admin/includes/privacy-tools.php

Timestamp:

01/27/2021 11:45:29 PM (5 years ago)

Author:

whyisjake

Message:

Privacy: Ensure that exported user data reports can't be found with directory listings.

By moving from .html to .php files, we can prevent directory listings, and ensure that WordPress can load.

Fixes #52299.

Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake.

File:

• trunk/src/wp-admin/includes/privacy-tools.php (modified) (2 diffs)

trunk/src/wp-admin/includes/privacy-tools.php

@@ -323 +323 @@
 
     // Protect export folder from browsing.
-    $index_pathname = $exports_dir . 'index.html';
+    $index_pathname = $exports_dir . 'index.php';
     if ( ! file_exists( $index_pathname ) ) {
         $file = fopen( $index_pathname, 'w' );
@@ -329 +329 @@
             wp_send_json_error( __( 'Unable to protect personal data export folder from browsing.' ) );
         }
-        fwrite( $file, '<!-- Silence is golden. -->' );
+        fwrite( $file, '<?php // Silence is golden.' );
         fclose( $file );
     }