[wp-meta] [Making WordPress.org] #4661: W.org plugins directory displays wrong version in advanced view
Making WordPress.org
noreply at wordpress.org
Wed Aug 7 17:52:00 UTC 2019
#4661: W.org plugins directory displays wrong version in advanced view
------------------------------+----------------------
Reporter: KestutisIT | Owner: (none)
Type: defect | Status: closed
Priority: normal | Milestone:
Component: Plugin Directory | Resolution: wontfix
Keywords: needs-patch |
------------------------------+----------------------
Comment (by KestutisIT):
@Ipstenu - thanks for clearing this up. As I have a partnership with
PayPal and did many PayPal integrations, I can confirm that the most
secure way for this, is to generate SHA2-512 or RSA *.cert file for each
plugin after it is released and keep that file in plugins folder. The cert
will ensure that request is coming from that exact plugin. It should be an
URL of W.org and plugin's admin dashboard image icon checksum or
Plugin/Plugin.php (main file with meta description) or just a meta
description checksum. It won't be a checksum of whole zip, but at least of
that one thing it could be. Otherwise I can how hack any plugin of W.org
putting there random information and submitting to report, even maybe
'1.0-EVIL' version to i.e. bbPress. And this will be see on reports screen
for everyone, as I can print there any message I want with version as long
as it match the Semver rule, and Semver allows to name the release. So
that's a security risk.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/4661#comment:5>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list