Skip to content

False positive: WordPress.WP.AlternativeFunctions.file_system_operations_fopen for php://output CSV streaming #1377

Description

@abdullahkaludi

Summary

The WordPress.WP.AlternativeFunctions.file_system_operations_fopen and WordPress.WP.AlternativeFunctions.file_system_operations_fclose checks report an error when using php://output for streaming a CSV download.

In this case, the warning appears to be a false positive because php://output is an output stream rather than a filesystem path, and there is no equivalent WordPress API (WP_Filesystem) for writing streamed CSV responses.

Minimal Reproduction

header( 'Content-Type: text/csv; charset=utf-8' );
header( 'Content-Disposition: attachment; filename=test.csv' );

$output = fopen( 'php://output', 'w' );

foreach ( $rows as $row ) {
	fputcsv( $output, $row );
}

fclose( $output );
exit;

Current Result

Plugin Check reports:

  • WordPress.WP.AlternativeFunctions.file_system_operations_fopen
  • WordPress.WP.AlternativeFunctions.file_system_operations_fclose

Expected Result

The check should not report an error for php://output, since:

  • php://output is not a filesystem path.
  • WP_Filesystem cannot be used to replace this functionality.
  • Streaming CSV responses using fopen( 'php://output', 'w' ) and fputcsv() is a common PHP pattern, and there is currently no WordPress-native alternative.

If this usage is intentionally unsupported, it would be helpful for the documentation to explain the recommended approach.


Disclaimer: Claude was used to help investigate and draft this issue. I verified the behavior and confirmed the reproduction before submitting.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions