[theme-reviewers] what are the rules for file access in themes?

[Otto]

On Thu, Jan 10, 2013 at 1:00 PM, Andrey "Rarst" Savchenko
<contact at rarst.net> wrote:
>> if you have to read in a file, use the file() command
>
> Could you please elaborate how is this function different from other file
> read functions (PHP manual treats it like synonym to file_get_contents()
> with different output format) and why it seems to be exempt?

It's a pragmatic reason. Virtually every piece of theme malware that
has crossed our path uses file_get_contents(). Not one of them has
used file(). Not saying that they couldn't rewrite to use that, but
they have not done so thus far.

The case for file_get_contents() is rare enough that simply telling
people to use file() instead works fine, for now.

If you absolutely must have file_get_contents for some bizarre reason,
then just instantiate yourself a WP_Filesystem_Direct object and call
its get_contents function.

There are very few legitimate cases for a theme to read files, and
almost none for it to write them. For the writing case, using
file_put_contents() (or any other direct file writing approach) can
lead to security issues on a surprising number of shared hosting
services, thus the WP_Filesystem stuff.

-Otto