Privacy: Ensure that exported user data reports can't be found with d…

…irectory listings. By moving from `.html` to `.php` files, we can prevent directory listings, and ensure that WordPress can load. Fixes #52299. Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake. git-svn-id: https://develop.svn.wordpress.org/trunk@50037 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Jan 27, 2021 · a76f895 · a76f895
1 parent 448dd9d
commit a76f895
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 6 deletions.
diff --git a/src/wp-admin/includes/privacy-tools.php b/src/wp-admin/includes/privacy-tools.php
@@ -322,13 +322,13 @@ function wp_privacy_generate_personal_data_export_file( $request_id ) {
 	}
 
 	// Protect export folder from browsing.
-	$index_pathname = $exports_dir . 'index.html';
+	$index_pathname = $exports_dir . 'index.php';
 	if ( ! file_exists( $index_pathname ) ) {
 		$file = fopen( $index_pathname, 'w' );
 		if ( false === $file ) {
 			wp_send_json_error( __( 'Unable to protect personal data export folder from browsing.' ) );
 		}
-		fwrite( $file, '<!-- Silence is golden. -->' );
+		fwrite( $file, '<?php // Silence is golden.' );
 		fclose( $file );
 	}
 

diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -7398,7 +7398,7 @@ function wp_privacy_delete_old_export_files() {
 	}
 
 	require_once ABSPATH . 'wp-admin/includes/file.php';
-	$export_files = list_files( $exports_dir, 100, array( 'index.html' ) );
+	$export_files = list_files( $exports_dir, 100, array( 'index.php' ) );
 
 	/**
 	 * Filters the lifetime, in seconds, of a personal data export file.

diff --git a/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php b/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php
@@ -55,7 +55,7 @@ public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
 			wp_mkdir_p( $exports_dir );
 		}
 
-		self::$index_path          = $exports_dir . 'index.html';
+		self::$index_path          = $exports_dir . 'index.php';
 		self::$expired_export_file = $exports_dir . 'wp-personal-data-file-0123456789abcdef.zip';
 		self::$active_export_file  = $exports_dir . 'wp-personal-data-file-fedcba9876543210.zip';
 	}

diff --git a/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php b/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php
@@ -214,15 +214,15 @@ public function test_detect_cannot_create_folder() {
 	}
 
 	/**
-	 * Test that an index.html file can be added to the export directory.
+	 * Test that an index.php file can be added to the export directory.
 	 *
 	 * @ticket 44233
 	 */
 	public function test_creates_index_in_export_folder() {
 		$this->expectOutputString( '' );
 		wp_privacy_generate_personal_data_export_file( self::$export_request_id );
 
-		$this->assertTrue( file_exists( self::$exports_dir . 'index.html' ) );
+		$this->assertTrue( file_exists( self::$exports_dir . 'index.php' ) );
 	}
 
 	/**