From 44c0e1c94f6152ba521eda32497b3319dd86a590 Mon Sep 17 00:00:00 2001
From: Nestor Soriano <konamiman@konamiman.com>
Date: Thu, 19 Sep 2024 11:58:56 +0200
Subject: [PATCH] Modify product import file check to use the WP filesystem
 API.

Otherwise it doesn't work on environments that don't have
a direct filesystem like e.g. WordPress VIP.
---
 ...ass-wc-product-csv-importer-controller.php | 45 ++++++++-----------
 1 file changed, 19 insertions(+), 26 deletions(-)

diff --git a/plugins/woocommerce/includes/admin/importers/class-wc-product-csv-importer-controller.php b/plugins/woocommerce/includes/admin/importers/class-wc-product-csv-importer-controller.php
index 0ce9d749a2b..028f964593c 100644
--- a/plugins/woocommerce/includes/admin/importers/class-wc-product-csv-importer-controller.php
+++ b/plugins/woocommerce/includes/admin/importers/class-wc-product-csv-importer-controller.php
@@ -5,6 +5,7 @@
  * @package WooCommerce\Admin\Importers
  */
 
+use Automattic\WooCommerce\Internal\Utilities\FilesystemUtil;
 use Automattic\WooCommerce\Utilities\I18nUtil;
 
 if ( ! defined( 'ABSPATH' ) ) {
@@ -113,37 +114,18 @@ class WC_Product_CSV_Importer_Controller {
 	 * @throws \Exception When file validation fails.
 	 */
 	protected static function check_file_path( string $path ): void {
-		$is_valid_file = false;
+		$wp_filesystem = FilesystemUtil::get_wp_filesystem();
 
-		if ( ! empty( $path ) ) {
-			$path          = realpath( $path );
-			$is_valid_file = false !== $path;
-		}
-
-		// File must be readable.
-		$is_valid_file = $is_valid_file && is_readable( $path );
+		// File must exist and be readable.
+		$is_valid_file = $wp_filesystem->is_readable( $path );
 
 		// Check that file is within an allowed location.
 		if ( $is_valid_file ) {
-			$normalized_path   = wp_normalize_path( $path );
-			$in_valid_location = false;
-			$valid_locations   = array();
-			$valid_locations[] = ABSPATH;
-
-			$upload_dir = wp_get_upload_dir();
-			if ( false === $upload_dir['error'] ) {
-				$valid_locations[] = $upload_dir['basedir'];
+			$is_valid_file = self::file_is_in_directory( $path, $wp_filesystem->abspath() );
+			if ( ! $is_valid_file ) {
+				$upload_dir    = wp_get_upload_dir();
+				$is_valid_file = false === $upload_dir['error'] && self::file_is_in_directory( $path, $upload_dir['basedir'] );
 			}
-
-			foreach ( $valid_locations as $valid_location ) {
-				$normalized_location = wp_normalize_path( realpath( $valid_location ) );
-				if ( 0 === stripos( $normalized_path, trailingslashit( $normalized_location ) ) ) {
-					$in_valid_location = true;
-					break;
-				}
-			}
-
-			$is_valid_file = $in_valid_location;
 		}
 
 		if ( ! $is_valid_file ) {
@@ -155,6 +137,17 @@ class WC_Product_CSV_Importer_Controller {
 		}
 	}
 
+	/**
+	 * Check if a given file is inside a given directory.
+	 *
+	 * @param string $file_path The full path of the file to check.
+	 * @param string $directory The path of the directory to check.
+	 * @return bool True if the file is inside the directory.
+	 */
+	private static function file_is_in_directory( string $file_path, string $directory ): bool {
+		return 0 === stripos( wp_normalize_path( $file_path ), trailingslashit( wp_normalize_path( $directory ) ) );
+	}
+
 	/**
 	 * Get all the valid filetypes for a CSV file.
 	 *