[wp-trac] [WordPress Trac] #30159: Have option for php file-handling for added security
WordPress Trac
noreply at wordpress.org
Wed Oct 29 03:15:54 UTC 2014
#30159: Have option for php file-handling for added security
----------------------------+-----------------------------
Reporter: t.schwarz | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.0
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
Currently, it is possible to access the files attached to private posts if
the file's URL is known. That's expected behaviour. I suggest an option to
allow php file handling (similar to the previous file handling in
multisite) to be able to check whether a direct file request is made by a
logged-in user. I understand that ms-files.php was removed in 3.5 for
performance reasons, but I suggest would be useful to have php-file-
serving option for added security.
This thread summarizes my findings in this respect.
http://wordpress.stackexchange.com/questions/165293/how-to-protect-
specific-uploaded-files-from-being-accessed-by-non-logged-in-user
--
Ticket URL: <https://core.trac.wordpress.org/ticket/30159>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list