Make WordPress Core

Opened 6 years ago

Last modified 4 years ago

#44204 new defect (bug)

Privacy export codebase in 4.9.6 doesn't use WP Filesystem API

Reported by: diablodale's profile diablodale Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: needs-patch
Focuses: administration Cc:

Description

The codebase added in WP 4.9.6 for privacy was written with low-level file APIs like fopen(), file_exists(), fwrite(), etc. rather than the WP Filesystem API. Quick to see in wp_privacy_generate_personal_data_export_file(). This restricts core parts of the privacy management functionality to only operate on hosts with direct access to the local filesystem.

It is recommended to instead use the WP Filesystem API so that more secure hosts are supported and a broader set of filesystems can be used, e.g. SSH, FTPext, FTPsocket, etc. https://codex.wordpress.org/Filesystem_API

Change History (4)

#1 @birgire
6 years ago

Welcome to WordPress Trac @diablodale

This crossed my mind when looking at ways to unit test the wp_privacy_generate_personal_data_export_file() function. I haven't looked into the internals of WP Filesystem API, but I suspect it could make the testing easier. It seems e.g. Drupal is using vfsStream to mock the file system, but the requirements are PHP 5.3.

I think this is a restriction for plugins that write the upload folder, but not for core in general, but it seems like a good suggestion here.

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.


5 years ago

#3 @garrett-eclipse
5 years ago

  • Focuses privacy removed
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
Note: See TracTickets for help on using tickets.