Make WordPress Core


Ignore:
Timestamp:
01/27/2021 11:47:43 PM (3 years ago)
Author:
whyisjake
Message:

Privacy: Ensure that exported user data reports can't be found with directory listings.

By moving from .html to .php files, we can prevent directory listings, and ensure that WordPress can load.

This brings the changes from [50037] to the 5.6 branch.

Fixes #52299.

Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake.

Location:
branches/5.6
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.6

  • branches/5.6/src/wp-admin/includes/privacy-tools.php

    r49539 r50038  
    323323
    324324    // Protect export folder from browsing.
    325     $index_pathname = $exports_dir . 'index.html';
     325    $index_pathname = $exports_dir . 'index.php';
    326326    if ( ! file_exists( $index_pathname ) ) {
    327327        $file = fopen( $index_pathname, 'w' );
     
    329329            wp_send_json_error( __( 'Unable to protect user privacy export folder from browsing.' ) );
    330330        }
    331         fwrite( $file, '<!-- Silence is golden. -->' );
     331        fwrite( $file, '<?php // Silence is golden.' );
    332332        fclose( $file );
    333333    }
Note: See TracChangeset for help on using the changeset viewer.