[wp-trac] Re: [WordPress Trac] #8927: allow turning off 'calling home' even _before_ install

WordPress Trac wp-trac at lists.automattic.com
Tue Feb 24 04:19:22 GMT 2009

#8927: allow turning off 'calling home' even _before_ install
 Reporter:  jidanni                               |        Owner:  jacobsantos
     Type:  enhancement                           |       Status:  closed     
 Priority:  lowest                                |    Milestone:  2.8        
Component:  HTTP                                  |      Version:  2.7        
 Severity:  trivial                               |   Resolution:  fixed      
 Keywords:  dev-feedback has-patch needs-testing  |  

Comment(by jacobsantos):

 Replying to [comment:14 jidanni]:
 > Looks good. OK, I see you all have taken the "lock the liquor store"
 > off HTTP access) approach. However that still leaves plenty of
 > teenagers (processes that wish to use HTTP) roving around outside
 > hoping for access... but I suppose that's how society is.

 What other approach is there? Hide all of the liquor or remove the liquor
 from the store every night?

 > But wait, my "gold standard test" is: starting from a vanilla install,
 > all the way even including browsing the dashboard (currently (2.7.1)
 > booby trapped to download RSS even before you can reach for "screen
 > options"), can I avoid one single download?

 I don't understand, WTF are you talking about? If you want to disable HTTP
 API, you do so in the wp-config.php, you can do this before you even
 install !WordPress or before you enter the dashboard.

 > {{{
 > * You block external URL requests by defining WP_HTTP_BLOCK_EXTERNAL
 > * in your wp-config.php file  and this will only allow localhost and
 > * your blog to make requests.
 > }}}
 > Sorry I'm still using 2.7.1, but looking at the new code,
 > aren't "localhost and my blog" the ones making those RSS etc.
 > requests on the Dashboard?

 No, sorry, that should read, "Will only make requests '''to''' localhost
 and your blog host."

 > By the way,
 > {{{
 > * The constant WP_ACCESSABLE_HOSTS will allow additional hosts to go
 through for requests.
 > }}}
 > that would be good for 'Block many, but let through a few', but I'm
 afraid you need one further variable for those who wish to 'Block a few,
 but let through many'.

 Yeah, you know, a plugin can hook into it and add theirs. I suppose the
 whitelist is more security minded, but a lot more work when you have a
 great deal. However, it was not forseen that there would be many hosts
 that you will want to allow. Preventing only a few won't exactly protect
 you. If you want to allow more, then you can do so. I suppose, if you have
 plugins, you will need to add exceptions for them, for the ones you want
 to let through.

 Actually, it would be extremely easy to add the ability for allow, deny
 constants. I don't forsee myself attempting that at this moment nor in the
 near future.

 Actually, ACCESSIBLE hosts is misspelled and needs to be corrected (don't
 want it to end up like HTTP 'referer' (sic)), so I'll fix that and add
 allow and deny. Not this week, but soon.

Ticket URL: <http://core.trac.wordpress.org/ticket/8927#comment:16>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list