Relax allowed path restrictions for block metadata collections and make the allowed root list filterable #8130
Conversation
…ke the allowed root list filterable.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
| * must-use plugins, and themes. This filter can be used to expand the list, e.g. to custom directories with | ||
| * symlinked plugins. |
There was a problem hiding this comment.
I dislike that symlinked plugins only work when using this filter.
That means developers will have to add some extra code to make their plugins work properly during local development or in other more sophisticated server setups.
What stops plugins and themes from just shipping something like add_filter( 'wp_allowed_block_metadata_collection_roots', static function( $roots ) { $roots[] = __DIR__; return $roots; } );?
I bet we'll see plugins in the directory with such code, intentionally or not.
There was a problem hiding this comment.
An existing utility function get_block_asset_url is used with all block assets. It covers all the same edge cases discussed, so maybe it would be possible to mirror its functionality with the specific requirements of where the collection roots can live.
There was a problem hiding this comment.
I dislike that symlinked plugins only work when using this filter.
I have an idea for an alternative solution where this list is used more like a denylist than a mix of denylist and allowlist. That should address the limitation. Currently working on implementing it.
What stops plugins and themes from just shipping something like
add_filter( 'wp_allowed_block_metadata_collection_roots', static function( $roots ) { $roots[] = __DIR__; return $roots; } );?
Nothing, but nothing in WordPress Core has ever stopped you from _doing_it_wrong - doesn't mean you should. There are other filters for allowlists that anyone could use to loosen the restrictions in a dangerous way, e.g. allowed_redirect_hosts.
Anyway, I think by using this as purely a denylist we should be able to simplify the usage, while still preventing (by default) the key problem this is supposed to prevent (see https://core.trac.wordpress.org/ticket/62140#comment:25).
…ling for exact matches and parent directories.
|
Ping @mreishus, since you worked on the original code. Would be great to get your review. |
This PR implements a solution to allow block metadata collections in additional directories, based on the ideas from the Trac ticket:
wp-includesdirectory, as well as the root directories for plugins, must-use plugins, and themes.wp_allowed_block_metadata_collection_roots.wp-content/pluginsdirectory (orwp-content, or the root directory of WordPress etc.), which then would conflict with other collections within that directory.Trac ticket: https://core.trac.wordpress.org/ticket/62140
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.