Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#36467 closed enhancement (wontfix)

disable zip extension in themes directroy

Reported by: ahmedash95's profile ahmedash95 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: template Cc:

Description

a lot of developers upload theme zip file to wp-content/themes/theme_name.zip then they extact the file and forget to remove it later . and thats make it easy to anyone to download this seem later if he view source and get theme directory wp-content/themes/ahmed_theme/style.css if he tries to download the file wp-content/themes/ahmed_theme.zip the file will start to download . so i think wordpress default htaccess must come with this rewrite rule to protected users .

RewriteRule ^wp-content/themes/.*\.(zip|rar)$ - [F,L,NC]

Change History (2)

#1 @dd32
8 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

At this time, we don't add rewrite rules to block access to files - if a user doesn't want files downloadable, they shouldn't be placed within a publicly readable location, or should have a unqiue non-guessable filename.

Some security plugins are known to add extra rewrite rules to potentially block invalid requests, I don't think I've seen any of those add a similar rule to this either.

#2 @ahmedash95
8 years ago

i'm agree with you .. but a lot of users make this mistake by wrong and they completely forgot to protected their important files, i think wordpress must have some protected ways to secure user's files.

Note: See TracTickets for help on using tickets.