fix(clone): Prevents overwriting wp-config.php when cloning a remote site with a custom public directory

[rodrigo-gpereira]

This change fixes a bug in the copy_site_files() function where the wp-config.php file from the remote site was copied and overwritten the local wp-config.php file when the remote site had a custom public directory.

Evidence:

sudo ee site clone root@192.168.100.20:custom-public.local .

Checking access to both sites
Creating site. This may take a while...
Syncing files
Syncing database
Exporting database from source
Copying database to destination
Importing database in destination
Error: Error while executing clone-import-db. closure: Unable to import database on destination. Please check for file system permissions and disk space.
Cleanup export file from source and destination
Success: Site cloned successfully.
You have to do these additional configurations manually (if required):
1. Update wp-config.php.
2. Add alias domains. 

Problem.

The code only had --exclude '/wp-config.php' (in the root)
When the remote site had a custom source_public_path (e.g., /current/web), wp-config.php was located in /current/wp-config.php
Since the exclusion only covered the root (/wp-config.php), rsync copied wp-config.php from the remote site, overwriting the local database settings and preventing synchronization from occurring correctly.

Solution.

With the code update, it's possible to clone WordPress sites from remote servers with a customized public directory.

sudo ee site clone root@192.168.100.20:custom-public.local .

Checking access to both sites
Creating site. This may take a while...
Syncing files
Syncing database
Exporting database from source
Copying database to destination
Importing database in destination
Executing search-replace
Cleanup export file from source and destination
+--------------------+-------------------------------------------+
| Site               | http://custom-public.local                |
+--------------------+-------------------------------------------+
| Site Root          | /opt/easyengine/sites/custom-public.local |
+--------------------+-------------------------------------------+
| Site Title         | custom-public.local                       |
+--------------------+-------------------------------------------+
| WordPress Username | wp-user-o42y                              |
+--------------------+-------------------------------------------+
| WordPress Password | wV0zQVq9Z3Jdgt2yA5                        |
+--------------------+-------------------------------------------+
| Alias Domains      | None                                      |
+--------------------+-------------------------------------------+
| DB Host            | global-db                                 |
+--------------------+-------------------------------------------+
| DB Name            | custom_public_local                       |
+--------------------+-------------------------------------------+
| DB User            | custom-public.local-kvkz6a                |
+--------------------+-------------------------------------------+
| DB Password        | OhkHGKQH3nGYIBJggN                        |
+--------------------+-------------------------------------------+
| E-Mail             | admin@custom-public.local                 |
+--------------------+-------------------------------------------+
| SSL                | Not Enabled                               |
+--------------------+-------------------------------------------+
| Cache              | None                                      |
+--------------------+-------------------------------------------+
| Proxy Cache        | Off                                       |
+--------------------+-------------------------------------------+
Success: Site cloned successfully.
You have to do these additional configurations manually (if required):
1. Update wp-config.php.
2. Add alias domains.

Note: Since the synchronize command uses the same function, the correction covers synchronization from the remote server.

Fixes #463

[Copilot]

Pull request overview

This PR fixes a bug in the copy_site_files() function where wp-config.php from a remote site with a custom public directory was incorrectly copied and overwrote the local wp-config.php file during cloning operations.

Key Changes

• Adds exclusion logic for wp-config.php in custom public directories and their parent directories
• Updates uploads path handling to use source-specific and destination-specific path variables
• Fixes exclusion pattern for uploads to use the correct source-relative path

Comments suppressed due to low confidence (1)

src/clone/clone-utils.php:166

• The construction of the rsync command here interpolates values derived from site_container_fs_path (e.g. destination_public_path, source_public_path/source_uploads_path) directly into the $exclude string, which is then passed as part of a full shell command to EE::exec via rsync_command. Because these values ultimately come from ee site info JSON on the remote host and are not re-escaped (e.g. with escapeshellarg), a compromised or malicious remote site can set site_container_fs_path (or site_fs_path) to include shell metacharacters and achieve command injection on the local host when cloning/syncing (e.g. via a crafted path that injects ; rm -rf /). To fix this, ensure all path components used in $exclude, $source_dir, and $destination_dir are strictly validated on read and passed through escapeshellarg, or refactor rsync_command/EE::exec to avoid shell parsing by passing arguments as an array to the underlying process launcher.

	$source_public_path      = str_replace( '/var/www/htdocs', '', $source->site_details['site_container_fs_path'] );
	$destination_public_path = str_replace( '/var/www/htdocs', '', $destination->site_details['site_container_fs_path'] );

	$exclude = '--exclude \'/wp-config.php\'';

	if ( ! empty( $destination_public_path ) ) {
		$exclude .= ' --exclude \'' . $destination_public_path . '/wp-config.php\'';

		$parent_dir = dirname( $destination_public_path );
		if ( $parent_dir !== '.' && $parent_dir !== '/' ) {
			$exclude .= ' --exclude \'' . $parent_dir . '/wp-config.php\'';
		}
	}

	$source_uploads_path      = $source_public_path . '/wp-content/uploads';
	$destination_uploads_path = $destination_public_path . '/wp-content/uploads';
	$uploads_path_share       = '/shared/wp-content/uploads';

	$source_dir      = remove_trailing_slash( $source->get_site_root_dir() );
	$destination_dir = remove_trailing_slash( $destination->get_site_root_dir() );

	if ( $sync_type['uploads'] && ! $sync_type['files'] ) {
		$source_dir      .= $source_uploads_path;
		$destination_dir .= $destination_uploads_path;
	}

	if ( $sync_type['files'] && ! $sync_type['uploads'] ) {
		$exclude .= ' --exclude \'' . $source_uploads_path . '\'';
		$exclude .= ' --exclude \'' . $uploads_path_share . '\'';
	}

	$rsync_command = rsync_command( trailingslashit( $source_dir ), trailingslashit( $destination_dir ), [ $exclude ] );

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.