We plan on including a new Approved Download Directories feature in WooCommerce 6.5 (scheduled for May 10) to give site owners additional control over product downloads. You may be particularly interested in this if you:
- Maintain a theme, plugin, or service that integrates with product downloads.
- Operate a site that sells downloadable products.
This advisory contains a brief synopsis of the change: full documentation is available here for those needing more detail.
We already provide several safety features concerning product downloads (for example, downloadable files must be of an allowed file type before they can be added to a product) and, with Approved Download Directories, we are making a further layer of protection available that will allow site owners to specify a set of trusted locations in which all downloadable files must be stored.
Merchants might for example use this to ensure that downloadable files are always stored in locations to which they have full read/write access.
The feature is optional and can be enabled (or disabled) at any time. Our plan is to enable it out-of-the-box for new installations, starting with WooCommerce 6.5, but make it opt-in for existing stores that upgrade from earlier versions.
How can I tell if this affects me?
If you are a developer responsible for a plugin, theme or component that integrates with product downloads, or if you operate a site that sells downloadable products, you may wish to perform some additional testing to detect potential problems ahead of the 6.5 release.
What action should I take?
Consider testing the new feature in a staging or testing environment prior to May 10. The feature is already present in our trunk branch on GitHub, and we expect it will be included in the upcoming beta build (scheduled for April 19), too.