From a76f895146c14e2022a79395e82140b60b05c427 Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Wed, 27 Jan 2021 23:45:29 +0000
Subject: [PATCH] Privacy: Ensure that exported user data reports can't be
 found with directory listings.

By moving from `.html` to `.php` files, we can prevent directory listings, and ensure that WordPress can load.

Fixes #52299.

Props lucasbustamante, xkon, freewebmentor, SergeyBiryukov, whyisjake.


git-svn-id: https://develop.svn.wordpress.org/trunk@50037 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/privacy-tools.php                       | 4 ++--
 src/wp-includes/functions.php                                 | 2 +-
 tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php | 2 +-
 .../tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/wp-admin/includes/privacy-tools.php b/src/wp-admin/includes/privacy-tools.php
index 629302fc2d..eb3407c06b 100644
--- a/src/wp-admin/includes/privacy-tools.php
+++ b/src/wp-admin/includes/privacy-tools.php
@@ -322,13 +322,13 @@ function wp_privacy_generate_personal_data_export_file( $request_id ) {
 	}
 
 	// Protect export folder from browsing.
-	$index_pathname = $exports_dir . 'index.html';
+	$index_pathname = $exports_dir . 'index.php';
 	if ( ! file_exists( $index_pathname ) ) {
 		$file = fopen( $index_pathname, 'w' );
 		if ( false === $file ) {
 			wp_send_json_error( __( 'Unable to protect personal data export folder from browsing.' ) );
 		}
-		fwrite( $file, '<!-- Silence is golden. -->' );
+		fwrite( $file, '<?php // Silence is golden.' );
 		fclose( $file );
 	}
 
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index a344af10a4..536f195b14 100644
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -7398,7 +7398,7 @@ function wp_privacy_delete_old_export_files() {
 	}
 
 	require_once ABSPATH . 'wp-admin/includes/file.php';
-	$export_files = list_files( $exports_dir, 100, array( 'index.html' ) );
+	$export_files = list_files( $exports_dir, 100, array( 'index.php' ) );
 
 	/**
 	 * Filters the lifetime, in seconds, of a personal data export file.
diff --git a/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php b/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php
index 37d55dbadd..8b9b5a80fb 100644
--- a/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php
+++ b/tests/phpunit/tests/privacy/wpPrivacyDeleteOldExportFiles.php
@@ -55,7 +55,7 @@ class Tests_Privacy_WpPrivacyDeleteOldExportFiles extends WP_UnitTestCase {
 			wp_mkdir_p( $exports_dir );
 		}
 
-		self::$index_path          = $exports_dir . 'index.html';
+		self::$index_path          = $exports_dir . 'index.php';
 		self::$expired_export_file = $exports_dir . 'wp-personal-data-file-0123456789abcdef.zip';
 		self::$active_export_file  = $exports_dir . 'wp-personal-data-file-fedcba9876543210.zip';
 	}
diff --git a/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php b/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php
index 88544fc460..68d1136cc0 100644
--- a/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php
+++ b/tests/phpunit/tests/privacy/wpPrivacyGeneratePersonalDataExportFile.php
@@ -214,7 +214,7 @@ class Tests_Privacy_WpPrivacyGeneratePersonalDataExportFile extends WP_UnitTestC
 	}
 
 	/**
-	 * Test that an index.html file can be added to the export directory.
+	 * Test that an index.php file can be added to the export directory.
 	 *
 	 * @ticket 44233
 	 */
@@ -222,7 +222,7 @@ class Tests_Privacy_WpPrivacyGeneratePersonalDataExportFile extends WP_UnitTestC
 		$this->expectOutputString( '' );
 		wp_privacy_generate_personal_data_export_file( self::$export_request_id );
 
-		$this->assertTrue( file_exists( self::$exports_dir . 'index.html' ) );
+		$this->assertTrue( file_exists( self::$exports_dir . 'index.php' ) );
 	}
 
 	/**