Skip to content

Restrict file access to WP_CONTENT_DIR only#12

Draft
Copilot wants to merge 2 commits intomasterfrom
copilot/remove-base-directory-logic
Draft

Restrict file access to WP_CONTENT_DIR only#12
Copilot wants to merge 2 commits intomasterfrom
copilot/remove-base-directory-logic

Conversation

Copy link

Copilot AI commented Feb 11, 2026
edited
Loading

Addresses security concerns by removing all base directory logic and limiting file browsing to WP_CONTENT_DIR. For multisite, this naturally restricts to each site's upload directory via wp_upload_dir().

Changes

  • Simplified get_root(): Returns WP_CONTENT_DIR unconditionally

    • Removes ADD_FROM_SERVER constant support
    • Removes /home/ directory detection
    • Removes ABSPATH parent directory traversal

  • Added path validation: Extra check in handle_imports() ensures resolved paths stay within bounds

  • Updated notices: Removed ADD_FROM_SERVER workaround suggestions, inform users of security restriction

  • Updated docs: FAQ reflects new behavior

Before/After

// Before: Complex logic with multiple escape hatches
function get_root() {
    if ( defined( 'ADD_FROM_SERVER' ) ) {
        $root = ADD_FROM_SERVER;
    } elseif ( str_starts_with( __FILE__, '/home/' ) ) {
        $root = implode( '/', array_slice( explode( '/', __FILE__ ), 0, 3 ) );
    } else {
        if ( str_starts_with( WP_CONTENT_DIR, ABSPATH ) ) {
            $root = dirname( ABSPATH );
        } else {
            $root = dirname( WP_CONTENT_DIR );
        }
    }
    // ... more validation logic
    return $root;
}

// After: Single source of truth
function get_root() {
    return WP_CONTENT_DIR;
}

Net: -30 lines, tightened security boundary

Original prompt

This section details on the original issue you should resolve

<issue_title>Remove all base directory logic and limit to content dir</issue_title>
<issue_description>Due to a stream of ill-imformed security vulnerability notices the plugin should be limited to the WP_CONTENT_DIR folder going forward, and in the case of multisite, the individual sites upload folder.</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@dd32
Limit plugin to WP_CONTENT_DIR for security
2dd0e73 
Co-authored-by: dd32 <767313+dd32@users.noreply.github.com>
Copilot AI changed the title [WIP] Remove base directory logic to limit to WP_CONTENT_DIR Restrict file access to WP_CONTENT_DIR only Feb 11, 2026
Copilot AI requested a review from dd32 February 11, 2026 02:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dd32 dd32 Awaiting requested review from dd32

Assignees

@dd32 dd32

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove all base directory logic and limit to content dir

2 participants

@dd32