Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#30159 closed enhancement (duplicate)

Have option for php file-handling for added security

Reported by: tschwarz's profile Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: administration Cc:


Currently, it is possible to access the files attached to private posts if the file's URL is known. That's expected behaviour. I suggest an option to allow php file handling (similar to the previous file handling in multisite) to be able to check whether a direct file request is made by a logged-in user. I understand that ms-files.php was removed in 3.5 for performance reasons, but I suggest would be useful to have php-file-serving option for added security.

This thread summarizes my findings in this respect.

Change History (1)

#1 @jeremyfelt
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version 4.0 deleted

Hi, thanks for taking the time to open a ticket.

We've covered this before in #20527 and #28748. This is entirely possible to do at a plugin level and likely makes sense to fit the numerous edge cases involved with authentication and files.

Note: See TracTickets for help on using tickets.