WordPress.org

Make WordPress Core

Changeset 50038


Ignore:
Timestamp:
01/27/2021 11:47:43 PM (8 months ago)
Author:
whyisjake
Message:

Privacy: Ensure that exported user data reports can't be found with directory listings.

By moving from .html to .php files, we can prevent directory listings, and ensure that WordPress can load.

This brings the changes from [50037] to the 5.6 branch.

Fixes #52299.

Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake.

Location:
branches/5.6
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • branches/5.6

  • branches/5.6/src/wp-admin/includes/privacy-tools.php

    r49539 r50038  
    323323
    324324    // Protect export folder from browsing.
    325     $index_pathname = $exports_dir . 'index.html';
     325    $index_pathname = $exports_dir . 'index.php';
    326326    if ( ! file_exists( $index_pathname ) ) {
    327327        $file = fopen( $index_pathname, 'w' );
     
    329329            wp_send_json_error( __( 'Unable to protect user privacy export folder from browsing.' ) );
    330330        }
    331         fwrite( $file, '<!-- Silence is golden. -->' );
     331        fwrite( $file, '<?php // Silence is golden.' );
    332332        fclose( $file );
    333333    }
  • branches/5.6/src/wp-includes/functions.php

    r49745 r50038  
    73977397
    73987398    require_once ABSPATH . 'wp-admin/includes/file.php';
    7399     $export_files = list_files( $exports_dir, 100, array( 'index.html' ) );
     7399    $export_files = list_files( $exports_dir, 100, array( 'index.php' ) );
    74007400
    74017401    /**
  • branches/5.6/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php

    r49603 r50038  
    5656        }
    5757
    58         self::$index_path          = $exports_dir . 'index.html';
     58        self::$index_path          = $exports_dir . 'index.php';
    5959        self::$expired_export_file = $exports_dir . 'wp-personal-data-file-0123456789abcdef.zip';
    6060        self::$active_export_file  = $exports_dir . 'wp-personal-data-file-fedcba9876543210.zip';
  • branches/5.6/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php

    r49603 r50038  
    215215
    216216    /**
    217      * Test that an index.html file can be added to the export directory.
     217     * Test that an index.php file can be added to the export directory.
    218218     *
    219219     * @ticket 44233
     
    223223        wp_privacy_generate_personal_data_export_file( self::$export_request_id );
    224224
    225         $this->assertTrue( file_exists( self::$exports_dir . 'index.html' ) );
     225        $this->assertTrue( file_exists( self::$exports_dir . 'index.php' ) );
    226226    }
    227227
Note: See TracChangeset for help on using the changeset viewer.