Hi @jimoe
Thanks for your questions, and welcome to WooCommerce!
Is the “absolute path” restrained to everything below the public_site root? Or can it access the paths above the root, normally not reachable from a web page?
This depends on which “File Download Method” your store uses (WooCommerce → Settings → Products → Downloadable products → File Download Method). There are two behaviors:
- Redirect method (X-Accel-Redirect/X-Sendfile “off”, i.e. plain redirect): the customer’s browser is redirected straight to the file URL. In this mode the file must be reachable by a URL — meaning it has to be inside the public web root, because a browser cannot fetch something above document root.
- Force Download / X-Accel-Redirect / X-Sendfile methods: WordPress/PHP itself opens the file server-side and streams it to the customer — the browser never requests the path directly. In this mode, the file can live above the web root (in a non-public directory), because it’s PHP reading the file from disk, not the browser fetching a URL. This is actually the recommended approach for protecting paid files from being guessed/downloaded directly.
So: absolute filesystem paths above the docroot only work if your download method is “Force Download” (or X-Accel-Redirect/X-Sendfile), not “Redirect.”
On top of that, there’s an Approved Download Directories feature (WooCommerce → Settings → Products → Approved Download Directories). WooCommerce provides a range of settings to help site administrators exercise control over the locations used for storing and serving product downloads, where approved directories can be added, edited or removed, and it’s also possible to disable or enable this feature entirely. If this feature is enabled (it is by default on new installs), a path/URL that isn’t in an approved directory gets flagged/disabled until an admin approves it — regardless of whether it’s technically reachable.
For more details you can use this guide: https://woocommerce.com/document/approved-download-directories/
What kind of encoding is expected for an URL? Who does the encoding?
The file URL should be a valid, properly encoded URL. In most cases, this simply means that any special characters or spaces in the URL are URL-encoded (for example, spaces become %20). If you select a file from the WordPress Media Library, WordPress typically generates the correct URL automatically, so you don’t need to encode it manually.
– Does Woo have a special location for the download files?
- When WooCommerce is installed, it creates a default directory for downloadable files at
wp-content/uploads/woocommerce_uploads/. This directory is added to the Approved Product Download Directories list and is enabled by default as a trusted location. While this is the recommended default location, WooCommerce also supports other approved directories or valid URLs for downloadable files.
I hope this helps.