[Simple Site] .txt files are only downloadable for logged in users. [403: Access Denied]

[Greatdane]

Quick summary

.txt files are able to be uploaded to a WordPress.com site but they cannot be downloaded by users who are not logged in to WordPress.com

The following message is shown instead.

— 403: Access Denied —

This file requires authorization:

You must be logged in
and a member of this blog.
Log in to proceed.

I tried various other file types (such as .zip and .pdf) and they can be downloaded by anybody with the link.

As .txt files are relatively secure, I can only assume this is a bug affecting this file type only?

This only affects Simple Sites.

Steps to reproduce

1. Add a .txt file either to the Media Library or the File Block of your Simple site.
2. Copy the URL for the file.
3. Log out WordPress.com or open a new browser/incognito window.
4. Open the URL. You will get a 403: Access Denied error.

What you expected to happen

I would expect the `.txt. file to open like any other file that is uploadable to WordPress.com

What actually happened

The file is not viewable unless logged in to a WordPress.com account.

Context

Customer report;
p2EDhh-1mg-p2
4406715-zd-woothemes

Operating System

No response

Browser

No response

Simple, Atomic or both?

Simple

Theme-specific issue?

No response

Other notes

No response

Reproducibility

Consistent

Severity

All

Available workarounds?

Yes, easy to implement

Workaround details

Host the file on a different site (such as Google Drive).

[vipulpradhan]

User report: 4831460-zen
Suggested workaround to host the file on Google Drive.

[annbingle]

Same issue here 35360684-hc . However the user is using PDF instead and it only affects the mobile. The same issue with a simple site and after it was moved to AT. As a workaround I had them host the PDF files in Google Drive instead.

[jorpdesigns]

Reported in 7873243-zen

[github-actions]

Support References

This comment is automatically generated. Please do not edit it.

• 4406715-zen
• 4831460-zen
• 7873243-zen
• 9043186-zen
• 9333449-zen
• 9346531-zen
• 9356040-zen

[allilevine]

Reported in 9043186-zen

[Greatdane]

9333449-zd-a8c

[rickmgithub]

9333449-zd-a8c
9346531-zd-a8c

[philnick206]

Reported in 9356040-zd-a8c

[supernovia]

📌 REPRODUCTION RESULTS

• Tested on Simple – Replicated
• Tested on Atomic – Could Not Replicate

📌 FINDINGS/SCREENSHOTS/VIDEO
Note I was logged in with a WordPress.com test account unassociated with the sites that had a .txt upload

📌 ACTIONS

• Triaged

[dsas]

Some discussion on this: p1738598495170769-slack-C03N25JPCE4

[andres-blanco]

The code that prevents txt's being downloaded is to prevent an exploit. The details can be seen in the code linked by Dean in the Slack link.

I feel like this one should be closed since there are workarounds and doesn't feel worth the effort. But not 100% sure, @candy02058912 , what do you think?

[Greatdane]

If so, @donalirl we will need to update the Accepted File Types support doc to sat TXT files are on Business plans and above only (which sounds so strange! )

[donalirl]

@Greatdane could you please log the request here 🙏

[andres-blanco]

I did a follow-up with Security folks p1738846788359259-slack-C02DF688P