[wp-trac] Re: [WordPress Trac] #5174: If plugin details cleared
while activated, "impossible" to deactivate
WordPress Trac
wp-trac at lists.automattic.com
Thu Oct 11 14:29:48 GMT 2007
#5174: If plugin details cleared while activated, "impossible" to deactivate
----------------------------+-----------------------------------------------
Reporter: Viper007Bond | Owner: anonymous
Type: defect | Status: new
Priority: lowest | Milestone: 2.5
Component: Administration | Version: 2.3
Severity: normal | Resolution:
Keywords: needs-patch |
----------------------------+-----------------------------------------------
Comment (by santosj):
If a plugin were going to do that they would just edit the database plugin
option to where they would never be able to deactivate the plugin and
force deletion. However, the combination of both could be a problem.
Lets say User goes to activate and run the application. Finds out that the
plugin was a little sneaky and is "phoning" home or adding content that
wasn't agreed upon.
User goes to deactivate, and on deactivation hook, the plugin readds
itself to the plugin option activated list and opens itself and does the
above bug trick.
For a normal user this might pose a problem. What this needs to take into
account is that if the User really wanted to remove such a plugin, they
would only need to remove it, instead of deleting it. If it creates any
other files, like say in the akismet folder, and activates itself when
activated the first time, then this would pose a security risk.
It might pose a greater security risk if the plugin does nothing bad and
installed the another plugin that does that job for it. It might be
difficult to track down and WordPress might be assumed at fault.
Really, it depends mostly on user lack of technical knowledge.
--
Ticket URL: <http://trac.wordpress.org/ticket/5174#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list