[wp-trac] [WordPress Trac] #42255: Security Notice: Plugin Contributor Change

WordPress Trac noreply at wordpress.org
Tue Oct 17 23:19:50 UTC 2017


#42255: Security Notice: Plugin Contributor Change
-------------------------+-----------------------------
 Reporter:  blobfolio    |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Plugins      |    Version:
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 Software updates are wonderful, but sometimes a good plugin gets sold to a
 bad person (https://make.wordpress.org/meta/handbook/about/get-involved
 /learn-how-to-contribute-code/) who might then do bad things with it.

 A simple way to help mitigate this would be to add a notice to the plugins
 and updates screens indicating if the remote contributor(s) differ from
 the locally-installed ones. That way users can take extra precautions
 before updating that they might not otherwise do.

 This could either be done by caching the contributor values from routine
 plugins API calls (and handling differences as they happen), or by parsing
 that information from local copies of each plugin's `readme.txt` file.

 The latter will probably be a bit more consistent (always local<->remote),
 particularly for users who only log in once per year, but I'll test both
 to see if there are any performance issues, etc., to weigh in.

 I'll get an initial patch together soon. I just wanted to start a ticket
 for reference. :)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42255>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list