VIP-Coding-Standards
VIP-Coding-Standards copied to clipboard
Automattic
Improve file operations checks to allow for use of stream wrappers
What problem would the enhancement address for VIP?
#415 dropped the file operations down from Errors to Warnings, but this is not the full picture.
Here's a rundown of how file operations / stream wrappers will work on VIP:
- If a PHP file operation is done with a normal file path, it won't work, unless writing to the
tempdirectory. - If a PHP file operation is done where the file has been opened with the
vip://protocol, then it will to use stream wrappers and will work. - If WP_Filesystem is used for file operations, it should switch to use the right protocol, based on whether they are in the
uploadsortempdirectory, or if the path useswp_upload_dir()orwp_get_upload_dir(), should work. - If the path is outside of uploads and temp directories, then file writing can not work.
Aside: Noting here that just because you can, doesn't mean you should. File operations are done over HTTP API, so as an example, writing a log file to the uploads directory and writing to it several times during one request would be a bad idea, to the performance of file IO over HTTP.
Describe the solution you'd like
Needs to be fleshed out, but instead of just checking for discrete file ops calls, we need to look at how the file was opened for reading or writing, and the arguments of that (for instance) fopen() call, to determine if the file operation behaviour is likely to succeed.
This will be made trickier by having to look for fopen() or other calls happening before the file operation function call (which may be in another file), or the arg for that fopen() being a variable that may be defined elsewhere (different function, different file, etc.). In these cases, the best we can do is to give a Warning.
If we can determine with confidence how the file was opened (including matching file handles), we can then run through the conditions above to determine if we can throw an Error.
This will need a new sniff.
What code should be reported as a violation?
{To be completed with more examples}
// Correctly opening file
$basedir = wp_upload_dir()[ 'basedir' ]; // this will return the proper vip protocol stream
$file = fopen( $basedir . '/test.txt', '+r' );
// Simplified example of how to upload a file using PHP functions
$csv_content = '1,hello,admin';
$upload_dir = wp_get_upload_dir()['basedir'];
$file_path = $upload_dir . '/csv/updated.csv';
file_put_contents( $file_path, $csv_content );
// The file will now be accessible at <a href="https://example-com.go-vip.net/wp-content/uploads/csv/updated.csv">https://example-com.go-vip.net/wp-content/uploads/csv/updated.csv</a>
// Example that parses an uploaded CSV and stores the contents in a variable
$csv_attachment = get_attached_file( 1234 );
$csv_file = file( $csv_attachment );
$csv_content = array_map( 'str_getcsv', $csv_file );
What code should not be reported as a violation?
{To be completed with more examples}
// Incorrectly opening file
$file = fopen( './test.txt', '+r' );
// Thus the following functions would work or not depending on the how it's opened above
fread( $file, 1024 );
fwrite( $file, 'new string' );
fclose( $file );
Additional context
- #415 has a bit more discussion.
- Link to Lobby post
- VIP documentation
