Changeset 50038 for branches/5.6/src/wp-admin/includes/privacy-tools.php

Timestamp:

01/27/2021 11:47:43 PM (4 years ago)

Author:

whyisjake

Message:

Privacy: Ensure that exported user data reports can't be found with directory listings.

By moving from .html to .php files, we can prevent directory listings, and ensure that WordPress can load.

This brings the changes from [50037] to the 5.6 branch.

Fixes #52299.

Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake.

Location:

branches/5.6

Files:

• . (modified) (1 prop)
• src/wp-admin/includes/privacy-tools.php (modified) (2 diffs)

branches/5.6/src/wp-admin/includes/privacy-tools.php

@@ -323 +323 @@
 
     // Protect export folder from browsing.
-    $index_pathname = $exports_dir . 'index.html';
+    $index_pathname = $exports_dir . 'index.php';
     if ( ! file_exists( $index_pathname ) ) {
         $file = fopen( $index_pathname, 'w' );
@@ -329 +329 @@
             wp_send_json_error( __( 'Unable to protect user privacy export folder from browsing.' ) );
         }
-        fwrite( $file, '<!-- Silence is golden. -->' );
+        fwrite( $file, '<?php // Silence is golden.' );
         fclose( $file );
     }