Privacy: Ensure that exported user data reports can't be found with directory listings.

By moving from `.html` to `.php` files, we can prevent directory listings, and ensure that WordPress can load. Fixes #52299. Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake. git-svn-id: https://develop.svn.wordpress.org/trunk@50037 602fd350-edb4-49c9-b593-d223f7449a82
2025-04-21 04:31:55 +02:00 · 2021-01-27 23:45:29 +00:00 · 2021-01-27 23:45:29 +00:00 · a76f895146
commit a76f895146
parent 448dd9d63c
4 changed files with 6 additions and 6 deletions
--- a/src/wp-admin/includes/privacy-tools.php
+++ b/src/wp-admin/includes/privacy-tools.php
@ -322,13 +322,13 @@ function wp_privacy_generate_personal_data_export_file( $request_id ) {
 	}

 	// Protect export folder from browsing.
-	$index_pathname = $exports_dir . 'index.html';
+	$index_pathname = $exports_dir . 'index.php';
 	if ( ! file_exists( $index_pathname ) ) {
 		$file = fopen( $index_pathname, 'w' );
 		if ( false === $file ) {
 			wp_send_json_error( __( 'Unable to protect personal data export folder from browsing.' ) );
 		}
-		fwrite( $file, '<!-- Silence is golden. -->' );
+		fwrite( $file, '<?php // Silence is golden.' );
 		fclose( $file );
 	}

--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@ -7398,7 +7398,7 @@ function wp_privacy_delete_old_export_files() {
 	}

 	require_once ABSPATH . 'wp-admin/includes/file.php';
-	$export_files = list_files( $exports_dir, 100, array( 'index.html' ) );
+	$export_files = list_files( $exports_dir, 100, array( 'index.php' ) );

 	/**
 	 * Filters the lifetime, in seconds, of a personal data export file.
--- a/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php
+++ b/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php
@ -55,7 +55,7 @@ class Tests_Privacy_WpPrivacyDeleteOldExportFiles extends WP_UnitTestCase {
 			wp_mkdir_p( $exports_dir );
 		}

-		self::$index_path          = $exports_dir . 'index.html';
+		self::$index_path          = $exports_dir . 'index.php';
 		self::$expired_export_file = $exports_dir . 'wp-personal-data-file-0123456789abcdef.zip';
 		self::$active_export_file  = $exports_dir . 'wp-personal-data-file-fedcba9876543210.zip';
 	}
--- a/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php
+++ b/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php
@ -214,7 +214,7 @@ class Tests_Privacy_WpPrivacyGeneratePersonalDataExportFile extends WP_UnitTestC
 	}

 	/**
-	 * Test that an index.html file can be added to the export directory.
+	 * Test that an index.php file can be added to the export directory.
 	 *
 	 * @ticket 44233
 	 */
@ -222,7 +222,7 @@ class Tests_Privacy_WpPrivacyGeneratePersonalDataExportFile extends WP_UnitTestC
 		$this->expectOutputString( '' );
 		wp_privacy_generate_personal_data_export_file( self::$export_request_id );

-		$this->assertTrue( file_exists( self::$exports_dir . 'index.html' ) );
+		$this->assertTrue( file_exists( self::$exports_dir . 'index.php' ) );
 	}

 	/**