Add automatic cleanup of old core files using WordPress $_old_files list (#299)

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Pascal Birchler <pascal.birchler@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Pascal Birchler <pascalb@google.com>

Author: 3 people

features/core-download.feature

@@ -180,7 +180,7 @@ Feature: Download WordPress
       """
       Failed to find WordPress version
       """
-    And STDERR should contain:
+    And STDERR should not contain:
       """
       Warning: Checksums not available for WordPress nightly/en_US. Please cleanup files manually.
       """

features/core-update.feature

@@ -21,6 +21,8 @@ Feature: Update WordPress core
       """
       Starting update...
       Unpacking the update...
+      Cleaning up files...
+      No old files were removed.
       Success: WordPress updated successfully.
       """
 
@@ -420,6 +422,90 @@ Feature: Update WordPress core
       </div>
       """
 
+  Scenario: Old files from $_old_files are cleaned up when upgrading
+    Given a WP install
+
+    When I run `wp core download --version=6.8 --force`
+
+    # Create files that should be removed according to 6.9 old_files list
+    Given a wp-includes/blocks/post-author/editor.css file:
+      """
+      /* Old CSS file */
+      """
+    And a wp-includes/blocks/post-author/editor.min.css file:
+      """
+      /* Old minified CSS */
+      """
+    And a wp-includes/blocks/post-author/editor-rtl.css file:
+      """
+      /* Old RTL CSS */
+      """
+    And a wp-includes/blocks/post-author/editor-rtl.min.css file:
+      """
+      /* Old RTL minified CSS */
+      """
+    And a wp-includes/SimplePie/src/Core.php file:
+      """
+      <?php
+      // Old SimplePie Core file
+      """
+    And an empty wp-includes/SimplePie/src/Decode directory
+
+    When I run `wp core update --version=6.9 --force`
+    Then STDOUT should contain:
+      """
+      Success: WordPress updated successfully.
+      """
+    And the wp-includes/blocks/post-author/editor.css file should not exist
+    And the wp-includes/blocks/post-author/editor.min.css file should not exist
+    And the wp-includes/blocks/post-author/editor-rtl.css file should not exist
+    And the wp-includes/blocks/post-author/editor-rtl.min.css file should not exist
+    And the wp-includes/SimplePie/src/Core.php file should not exist
+    And the wp-includes/SimplePie/src/Decode directory should not exist
+
+  @require-php-7.2
+  Scenario: Old files cleanup works when checksums unavailable
+    Given a WP install
+
+    When I run `wp core download --version=6.8 --force`
+    Then STDOUT should contain:
+      """
+      Success: WordPress downloaded.
+      """
+
+    # Create files that exist in the $_old_files list from WordPress 6.9
+    Given a wp-includes/blocks/post-author/editor.css file:
+      """
+      /* Old CSS file */
+      """
+    And a wp-includes/blocks/post-author/editor.min.css file:
+      """
+      /* Old minified CSS */
+      """
+
+    # Mock checksum API to return empty response so checksums are unavailable
+    And that HTTP requests to https://api.wordpress.org/core/checksums/1.0/ will respond with:
+      """
+      HTTP/1.1 200
+      Content-Type: application/json
+
+      {}
+      """
+
+    When I try `wp core update --version=6.9 --force`
+    Then STDOUT should contain:
+      """
+      Cleaning up files...
+      """
+    And STDOUT should contain:
+      """
+      Success: WordPress updated successfully.
+      """
+
+    # Verify files from $_old_files were removed
+    And the wp-includes/blocks/post-author/editor.css file should not exist
+    And the wp-includes/blocks/post-author/editor.min.css file should not exist
+
   Scenario: Update WordPress locale without --force when version is the same
     Given a WP install
     And an empty cache
@@ -485,7 +571,7 @@ Feature: Update WordPress core
       """
       Package language:  en_US
       """
-  @require-php-7.0 @require-wp-6.1
+  @require-wp-6.1
   Scenario: Attempting to downgrade without --force shows helpful message
     Given a WP install
 

src/Core_Command.php

@@ -1123,7 +1123,7 @@ private static function get_core_checksums( $version, $locale, $insecure ) {
 	 *     Downloading update from https://downloads.wordpress.org/release/wordpress-4.5.2-no-content.zip...
 	 *     Unpacking the update...
 	 *     Cleaning up files...
-	 *     No files found that need cleaning up
+	 *     No old files were removed.
 	 *     Success: WordPress updated successfully.
 	 *
 	 *     # Update WordPress using zip file.
@@ -1137,7 +1137,9 @@ private static function get_core_checksums( $version, $locale, $insecure ) {
 	 *     Updating to version 3.1 (en_US)...
 	 *     Downloading update from https://wordpress.org/wordpress-3.1.zip...
 	 *     Unpacking the update...
-	 *     Warning: Checksums not available for WordPress 3.1/en_US. Please cleanup files manually.
+	 *     Cleaning up files...
+	 *     No old files were removed.
+	 *     Warning: Could not retrieve WordPress core checksums; skipping checksum-based cleanup. Files listed in $_old_files were still cleaned up.
 	 *     Success: WordPress updated successfully.
 	 *
 	 * @alias upgrade
@@ -1794,16 +1796,16 @@ private function cleanup_extra_files( $version_from, $version_to, $locale, $inse
 			return;
 		}
 
-		$old_checksums = self::get_core_checksums( $version_from, $locale ?: 'en_US', $insecure );
-		if ( ! is_array( $old_checksums ) ) {
-			WP_CLI::warning( "{$old_checksums} Please cleanup files manually." );
-			return;
-		}
+		// Always clean up files from WordPress core's $_old_files list first
+		$this->cleanup_old_files();
 
+		$old_checksums = self::get_core_checksums( $version_from, $locale ?: 'en_US', $insecure );
 		$new_checksums = self::get_core_checksums( $version_to, $locale ?: 'en_US', $insecure );
-		if ( ! is_array( $new_checksums ) ) {
-			WP_CLI::warning( "{$new_checksums} Please cleanup files manually." );
 
+		$has_checksums = is_array( $old_checksums ) && is_array( $new_checksums );
+
+		if ( ! $has_checksums ) {
+			WP_CLI::warning( 'Could not retrieve WordPress core checksums; skipping checksum-based cleanup. Files listed in $_old_files were still cleaned up.' );
 			return;
 		}
 
@@ -1899,6 +1901,184 @@ private function cleanup_extra_files( $version_from, $version_to, $locale, $inse
 		}
 	}
 
+	/**
+	 * Clean up old files using WordPress core's $_old_files list.
+	 *
+	 * It unconditionally deletes files from the $_old_files global array maintained by WordPress core.
+	 */
+	private function cleanup_old_files() {
+		$old_files = $this->get_old_files_list();
+		if ( empty( $old_files ) ) {
+			WP_CLI::log( 'No files found that need cleaning up.' );
+			return;
+		}
+
+		WP_CLI::log( 'Cleaning up files...' );
+
+		$count = $this->remove_old_files_from_list( $old_files );
+
+		if ( $count ) {
+			WP_CLI::log( number_format( $count ) . ' files cleaned up.' );
+		} else {
+			WP_CLI::log( 'No old files were removed.' );
+		}
+	}
+
+	/**
+	 * Get the list of old files from WordPress core.
+	 *
+	 * @return array Array of old file paths, or empty array if not available.
+	 */
+	private function get_old_files_list() {
+		// Include WordPress core's update file to access the $_old_files list
+		if ( ! file_exists( ABSPATH . 'wp-admin/includes/update-core.php' ) ) {
+			WP_CLI::warning( 'Could not find update-core.php. Please cleanup files manually.' );
+			return array();
+		}
+
+		require_once ABSPATH . 'wp-admin/includes/update-core.php';
+
+		global $_old_files;
+
+		if ( empty( $_old_files ) || ! is_array( $_old_files ) ) {
+			return array();
+		}
+
+		return $_old_files;
+	}
+
+	/**
+	 * Remove old files from a list.
+	 *
+	 * This is a shared helper method that handles the actual removal of files and directories.
+	 *
+	 * @param array $files Array of file paths to remove.
+	 * @return int Number of files/directories successfully removed.
+	 */
+	private function remove_old_files_from_list( $files ) {
+		$count = 0;
+
+		$abspath_realpath = realpath( ABSPATH );
+		if ( false === $abspath_realpath ) {
+			WP_CLI::debug( 'Failed to resolve ABSPATH realpath', 'core' );
+			return $count;
+		}
+		$abspath_realpath_trailing = Utils\trailingslashit( $abspath_realpath );
+
+		foreach ( $files as $file ) {
+			$file_path = ABSPATH . $file;
+
+			// Skip entries that don't exist and aren't (broken) symlinks.
+			if ( ! file_exists( $file_path ) && ! is_link( $file_path ) ) {
+				continue;
+			}
+
+			// Symlinks: validate and remove without following the link.
+			if ( is_link( $file_path ) ) {
+				$normalized_path = realpath( dirname( $file_path ) );
+				if ( false === $normalized_path
+					|| 0 !== strpos( Utils\trailingslashit( $normalized_path ), $abspath_realpath_trailing )
+				) {
+					WP_CLI::debug( "Skipping symbolic link outside of ABSPATH: {$file}", 'core' );
+					continue;
+				}
+				if ( unlink( $file_path ) ) {
+					WP_CLI::log( "Symbolic link removed: {$file}" );
+					++$count;
+				} else {
+					WP_CLI::debug( "Failed to remove symbolic link: {$file}", 'core' );
+				}
+				continue;
+			}
+
+			// Regular files/directories: validate real path is within ABSPATH.
+			$file_realpath = realpath( $file_path );
+			if ( false === $file_realpath || 0 !== strpos( Utils\trailingslashit( $file_realpath ), $abspath_realpath_trailing ) ) {
+				WP_CLI::debug( "Skipping file outside of ABSPATH: {$file}", 'core' );
+				continue;
+			}
+
+			if ( is_dir( $file_path ) ) {
+				if ( $this->remove_directory( $file_path, $abspath_realpath_trailing ) ) {
+					WP_CLI::log( "Directory removed: {$file}" );
+					++$count;
+				} else {
+					WP_CLI::debug( "Failed to remove directory: {$file}", 'core' );
+				}
+			} elseif ( unlink( $file_path ) ) {
+				WP_CLI::log( "File removed: {$file}" );
+				++$count;
+			} else {
+				WP_CLI::debug( "Failed to remove file: {$file}", 'core' );
+			}
+		}
+
+		return $count;
+	}
+
+	/**
+	 * Recursively remove a directory and its contents.
+	 *
+	 * @param string $dir Directory path to remove.
+	 * @param string $abspath_realpath_trailing Cached ABSPATH realpath with trailing slash for performance.
+	 * @return bool True on success, false on failure.
+	 */
+	private function remove_directory( $dir, $abspath_realpath_trailing ) {
+		$dir_realpath = realpath( $dir );
+		if ( false === $dir_realpath ) {
+			WP_CLI::debug( "Failed to resolve realpath for directory: {$dir}", 'core' );
+			return false;
+		}
+		if ( 0 !== strpos( Utils\trailingslashit( $dir_realpath ), $abspath_realpath_trailing ) ) {
+			WP_CLI::debug( "Attempted to remove directory outside of ABSPATH: {$dir_realpath}", 'core' );
+			return false;
+		}
+		if ( ! is_dir( $dir ) ) {
+			return false;
+		}
+
+		$files = new RecursiveIteratorIterator(
+			new RecursiveDirectoryIterator( $dir, RecursiveDirectoryIterator::SKIP_DOTS ),
+			RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		/** @var \SplFileInfo $fileinfo */
+		foreach ( $files as $fileinfo ) {
+			// Use the symlink's own path (not realpath) to avoid following it outside ABSPATH.
+			if ( $fileinfo->isLink() ) {
+				$path = $fileinfo->getPathname();
+				if ( ! unlink( $path ) ) {
+					WP_CLI::debug( "Failed to remove symbolic link: {$path}", 'core' );
+					return false;
+				}
+				continue;
+			}
+
+			$path = $fileinfo->getRealPath();
+			if ( false === $path || 0 !== strpos( $path, $abspath_realpath_trailing ) ) {
+				WP_CLI::debug( "Attempted to remove path outside of ABSPATH: {$path}", 'core' );
+				return false;
+			}
+
+			if ( $fileinfo->isDir() ) {
+				if ( ! rmdir( $path ) ) {
+					WP_CLI::debug( "Failed to remove directory: {$path}", 'core' );
+					return false;
+				}
+			} elseif ( ! unlink( $path ) ) {
+				WP_CLI::debug( "Failed to remove file: {$path}", 'core' );
+				return false;
+			}
+		}
+
+		if ( ! rmdir( $dir ) ) {
+			WP_CLI::debug( "Failed to remove directory: {$dir}", 'core' );
+			return false;
+		}
+
+		return true;
+	}
+
 	private static function strip_content_dir( $zip_file ) {
 		$new_zip_file = Utils\get_temp_dir() . uniqid( 'wp_' ) . '.zip';
 		register_shutdown_function(