WordPress.org

Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#44204 new defect (bug)

Privacy export codebase in 4.9.6 doesn't use WP Filesystem API

Reported by: diablodale Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords:
Focuses: administration, privacy Cc:

Description

The codebase added in WP 4.9.6 for privacy was written with low-level file APIs like fopen(), file_exists(), fwrite(), etc. rather than the WP Filesystem API. Quick to see in wp_privacy_generate_personal_data_export_file(). This restricts core parts of the privacy management functionality to only operate on hosts with direct access to the local filesystem.

It is recommended to instead use the WP Filesystem API so that more secure hosts are supported and a broader set of filesystems can be used, e.g. SSH, FTPext, FTPsocket, etc. https://codex.wordpress.org/Filesystem_API

Change History (1)

#1 @birgire
4 weeks ago

Welcome to WordPress Trac @diablodale

This crossed my mind when looking at ways to unit test the wp_privacy_generate_personal_data_export_file() function. I haven't looked into the internals of WP Filesystem API, but I suspect it could make the testing easier. It seems e.g. Drupal is using vfsStream to mock the file system, but the requirements are PHP 5.3.

I think this is a restriction for plugins that write the upload folder, but not for core in general, but it seems like a good suggestion here.

Note: See TracTickets for help on using tickets.