[wp-trac] [WordPress Trac] #25738: WP_HTTP uses transports that incorrectly claim to support a request

WordPress Trac noreply at wordpress.org
Fri Nov 15 06:40:18 UTC 2013


#25738: WP_HTTP uses transports that incorrectly claim to support a request
--------------------------+------------------
 Reporter:  dd32          |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  3.8
Component:  HTTP          |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+------------------

Comment (by dd32):

 > Blacklisting this single version seems fine, but only if there are other
 options. If streams are not available, 7.31.0 (with SSL) will still
 probably work, which is better than failing altogether perhaps. This might
 be too complicated to check for in reality.

 It'll succeed against most Apache servers, and a few others, but fail
 against a bunch of others.

 Most Plugins need to be written with the fact that not all servers can
 perform SSL connections reliably anyway, so blocking HTTPS connections via
 cURL on a host with a known bad version and letting it fallback to
 Streams+OpenSSL is a better option.
 If OpenSSL isn't available for Streams on that server, they're out of luck
 and the plugin will have to resort to HTTP.

 The tough part about blacklisting cURL 7.31.0 and cURL+GnuTLS (which both
 have the same issue) is that both of these can now communicate with
 api.wordpress.org securely, but if we block these, and the host doesn't
 have OpenSSL installed then they'll be left out in the cold with manual
 updates (Background Updates require HTTPS).
 So it's a balance between core functionality and more reliable requests
 for plugins.

 One alternative is that we only blacklist those 2 conditions when we can
 otherwise probably successfully make a connection with Streams:
 [attachment:25738.2.diff],

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25738#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list