Extra protections

includes/class-wc-product-download.php

@@ -173,9 +173,9 @@ class WC_Product_Download implements ArrayAccess {
 	 */
 	public function set_file( $value ) {
 		// A `///` is recognized as an "absolute", but on the filesystem, so it bypasses the mime check in `self::is_allowed_filetype`.
-		// This will change the file value to the `relative` beginning with `/` and it will be parsed accordingly.
-		if ( substr( $value, 0, 3 ) === '///' ) {
-			$value = substr( $value, 2 );
+		// This will strip extra prepending / to the maximum of 2.
+		if ( preg_match( '#^/+(//[^/].+)$#i', $value, $matches ) ) {
+			$value = $matches[1];
 		}
 		switch ( $this->get_type_of_file_path( $value ) ) {
 			case 'absolute':

tests/legacy/unit-tests/product/class-wc-tests-product-download.php

@@ -145,4 +145,17 @@ class WC_Tests_Product_Download extends WC_Unit_Test_Case {
 		$download->set_file( '//' . trailingslashit( WP_PLUGIN_DIR ) . 'woocommerce/woocommerce.php' );
 		$this->assertEquals( false, $download->is_allowed_filetype() );
 	}
+
+	/**
+	 * Tests if we are trimming prepending slashes which can confuse system and change the file type to a filesystem path.
+	 * @see https://github.com/woocommerce/woocommerce/pull/28699
+	 *
+	 * @since 5.0.1
+	 */
+	public function test_trim_extra_prepending_slashes() {
+		$download = new WC_Product_Download();
+
+		$download->set_file( '////////test/path' );
+		$this->assertEquals( '//test/path', $download->get_file() );
+	}
 }