Merge pull request #6080 from Automattic/staging

Production release: v20250107.0

Author: luiztiago

.github/actions/run-wp-tests/action.yml

@@ -122,7 +122,7 @@ runs:
         "${PHPUNIT}" ${OPTIONS}
 
     - name: Upload coverage report
-      uses: codecov/codecov-action@v5.0.7
+      uses: codecov/codecov-action@v5.1.1
       with:
         files: ${{ inputs.coverage-file }}
         flags: ${{ inputs.coverage-flags }}

.github/workflows/codeql-analysis.yml

@@ -32,10 +32,10 @@ jobs:
         uses: actions/[email protected]
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/[email protected].5
+        uses: github/codeql-action/[email protected].6
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/[email protected].5
+        uses: github/codeql-action/[email protected].6

files/acl/acl.php

@@ -72,25 +72,32 @@ function get_option_as_bool_if_exists( $option_name ) {
 /**
  * Check if the path is allowed for the current context.
  *
- * @param string $file_path Path to the file, minus the `/wp-content/uploads/` bit. It's the second portion returned by `Pre_Wp_Utils\prepare_request()`
+ * @param string $file_path Path to the file, minus the `/wp-content/uploads/` bit.
+ *                          This is the second portion returned by `Pre_Wp_Utils\prepare_request()`.
+ * @return bool True if the file path is valid for the current site, false otherwise.
  */
 function is_valid_path_for_site( $file_path ) {
-	if ( ! is_multisite() ) {
-		return true;
-	}
-
-	// If main site, don't allow access to /sites/ subdirectories.
-	if ( is_main_network() && is_main_site() ) {
-		if ( 0 === strpos( $file_path, 'sites/' ) ) {
-			return false;
+	$is_valid = true;
+
+	if ( is_multisite() ) {
+		// If main site, don't allow access to `/sites/` subdirectories.
+		if ( is_main_network() && is_main_site() ) {
+			$is_valid = ! str_starts_with( $file_path, 'sites/' );
+		} else {
+			// Check if the file path matches the current site ID's directory.
+			$base_path = sprintf( 'sites/%d', get_current_blog_id() );
+			$is_valid  = str_starts_with( $file_path, $base_path );
 		}
-
-		return true;
 	}
 
-	$base_path = sprintf( 'sites/%d', get_current_blog_id() );
-
-	return 0 === strpos( $file_path, $base_path );
+	/**
+	 * Filter the result of the path validation for the current site.
+	 * Allows to override the logic used to determine if a file path is valid for the current site.
+	 *
+	 * @param bool   $is_valid  Whether the file path is valid for the current site.
+	 * @param string $file_path Path to the file, minus the `/wp-content/uploads/` bit.
+	 */
+	return apply_filters( 'vip_files_acl_is_valid_path_for_site', $is_valid, $file_path );
 }
 
 /**