wordpress-develop icon indicating copy to clipboard operation
wordpress-develop copied to clipboard
verified publisher icon WordPress

Bootstrap/Load: Refactor debug.log handling for enhanced protection and usability

Open christian-dale opened this issue 1 year ago • 4 comments

This commit addresses concerns related to the /wp-content/debug.log file being publicly accessible, which may contain sensitive information in some circumstances. To mitigate this risk, a randomly generated string is now appended to the debug log filename. The debug.log file has also been prefixed with a dot, to make it a hidden file.

These changes enhance both the protection and usability of the debug.log subsystem.

Trac ticket: https://core.trac.wordpress.org/ticket/60611

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

christian-dale avatar Feb 22 '24 19:02 christian-dale

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props itschristiandale, lucasbustamante.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

github-actions[bot] avatar Feb 22 '24 19:02 github-actions[bot]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance, it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

github-actions[bot] avatar Feb 22 '24 20:02 github-actions[bot]

Instead of generating a new debug log for every request, maybe we could use a deterministic, unique filename based on that site's salts? If the debug log file is persistent, I think there's no need for the debug directory, we basically keep everything as-is, but just randomize the debug log filename. Also, it could be prefixed with a dot to leverage the "hidden file" convention, as most web servers won't serve hidden files to web clients.

Luc45 avatar Apr 09 '24 12:04 Luc45

@Luc45 Thank you for your feedback. I have made the suggested changes.

christian-dale avatar May 09 '24 13:05 christian-dale