[wp-hackers] Plugin update & security / privacy - Data sent

Omry Yadan omry at yadan.net
Sun Sep 23 13:14:45 GMT 2007


Sounds good to me.

maybe we should only send plugin file, version and name.

also, in the spirit of my original proposal:

1. this should not be bundled with the new version check.

2. users should explicitly agree to send info before WP sends anything.


Moritz 'Morty' Strübe wrote:

> To get some facts out added some debugging output.
> Notice that there are 11k of data transmitted. Also of course your
> Wordpress version and your url (which I already encapsulated in a md5).
> IMHO a list of plugin names and a answer with the current version
> numbers is enough data to be transmitted.
>
> The request:
>
> POST /plugins/update-check/1.0/ HTTP/1.0
> Host: api.wordpress.org
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Content-Length: 11000
> User-Agent: WordPress/2.3-RC1; 4b028de5098db7fb05c6d6dd264de215
>
> And the data:
>
> data:object(stdClass)(2) {
>   ["plugins"]=>
>   array(15) {
>     ["akismet/akismet.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(7) "Akismet"
>       ["Title"]=>
>       string(71) "<a href="http://akismet.com/" title="Visit plugin homepage">Akismet</a>"
>       ["Description"]=>
>       string(354) "Akismet checks your comments against the Akismet web service to see if they look like spam or not. You need a <a href="http://wordpress.com/api-keys/">WordPress.com API key</a> to use it. You can review the spam it catches under &#8220;Comments.&#8221; To show off your Akismet stats just put <code>&lt;?php akismet_counter(); ?></code> in your template."
>       ["Author"]=>
>       string(80) "<a href="http://photomatt.net/" title="Visit author homepage">Matt Mullenweg</a>"
>       ["Version"]=>
>       string(5) "2.0.2"
>     }
>     ["cjd_delete_de.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(35) "CJD-<br />Spam Nuke <br />(deutsch)"
>       ["Title"]=>
>       string(121) "<a href="http://chrisjdavis.org/category/wp-hacks/" title="Visit plugin homepage">CJD-<br />Spam Nuke <br />(deutsch)</a>"
>       ["Description"]=>
>       string(216) "Dieses Plugin macht all die Kommentare sicht- und l&ouml;schbar, die mit dem Attribut &#8216;Spam&#8217; in der Datenbank herumliegen. Deutsche Bearbeitung: <a href="http://www.journal.kylaloo.net/">Mathias Hundt</a>"
>       ["Author"]=>
>       string(105) "<a href="http://chrisjdavis.org/" title="Visit author homepage">Chris J. Davis, Scott (skippy) Merill</a>"
>       ["Version"]=>
>       string(5) "1.5.3"
>     }
>     ["follow.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(10) "Follow-URL"
>       ["Title"]=>
>       string(79) "<a href="http://blog.taragana.com" title="Visit plugin homepage">Follow-URL</a>"
>       ["Description"]=>
>       string(108) "Dieses Plugin entfernt das <strong>nofollow</strong>-Attribut, dass WordPress an Links in Kommentaren setzt."
>       ["Author"]=>
>       string(90) "<a href="http://blog.taragana.com/" title="Visit author homepage">Angsuman Chakraborty</a>"
>       ["Version"]=>
>       string(3) "1.0"
>     }
>     ["gengo/gengo.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(5) "Gengo"
>       ["Title"]=>
>       string(88) "<a href="http://jamietalbot.com/wp-hacks/gengo/" title="Visit plugin homepage">Gengo</a>"
>       ["Description"]=>
>       string(180) "Multi-language blogging for WordPress.<br/>Licensed under the <a href="http://www.opensource.org/licenses/mit-license.php">MIT License</a>, Copyright &copy; 2006-2007 Jamie Talbot."
>       ["Author"]=>
>       string(80) "<a href="http://jamietalbot.com/" title="Visit author homepage">Jamie Talbot</a>"
>       ["Version"]=>
>       string(3) "0.9"
>     }
>     ["gravatars2.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(10) "Gravatars2"
>       ["Title"]=>
>       string(84) "<a href="http://zenpax.com/gravatars2/" title="Visit plugin homepage">Gravatars2</a>"
>       ["Description"]=>
>       string(326) "Implements Gravatars (global avatars: gravatar.com) with enhanced caching support, cron support, &#038; administrative interface to control default options.  Registered users can use local Gravatars (also cached). Copyright 2006 Kip Bond; Licensed under the terms of the <a href="http://www.gnu.org/licenses/gpl.html">GPL</a>."
>       ["Author"]=>
>       string(82) "<a href="http://zenpax.com/gravatars2/" title="Visit author homepage">Kip Bond</a>"
>       ["Version"]=>
>       string(5) "2.6.1"
>     }
>     ["gravatars2-wpcron.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(18) "Gravatars2 WP-Cron"
>       ["Title"]=>
>       string(92) "<a href="http://zenpax.com/gravatars2/" title="Visit plugin homepage">Gravatars2 WP-Cron</a>"
>       ["Description"]=>
>       string(194) "Refreshes the cached gravatar images using a pseudo-cron implementation &#8212; Requires WP-Cron (http://skippy.net/blog/2005/10/09/wp-cron-14/) &#038; Gravatars2 (http://zenpax.com/gravatars2/)"
>       ["Author"]=>
>       string(82) "<a href="http://zenpax.com/gravatars2/" title="Visit author homepage">Kip Bond</a>"
>       ["Version"]=>
>       string(3) "1.1"
>     }
>     ["hello.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(11) "Hello Dolly"
>       ["Title"]=>
>       string(78) "<a href="http://wordpress.org/#" title="Visit plugin homepage">Hello Dolly</a>"
>       ["Description"]=>
>       string(295) "This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page."
>       ["Author"]=>
>       string(80) "<a href="http://photomatt.net/" title="Visit author homepage">Matt Mullenweg</a>"
>       ["Version"]=>
>       string(3) "1.5"
>     }
>     ["locktest.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(9) "Lock test"
>       ["Title"]=>
>       string(96) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Lock test</a>"
>       ["Description"]=>
>       string(14) "Tests locking."
>       ["Author"]=>
>       string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
>       ["Version"]=>
>       string(3) "1.0"
>     }
>     ["a_o42-clean-umlauts.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(17) "o42-clean-umlauts"
>       ["Title"]=>
>       string(116) "<a href="http://otaku42.de/2005/06/30/plugin-o42-clean-umlauts/" title="Visit plugin homepage">o42-clean-umlauts</a>"
>       ["Description"]=>
>       string(366) "Das Plugin konvertiert die deutschen Umlaute in den Beitragstiteln, Kommentaren und Feeds zu ASCII. - Aus &auml;,&uuml;,&ouml;,&szlig; wird ein ae, ue, oe und ss. auf der L&ouml;sung von <a href="http://www.papascott.de">Scott Hanson</a>. Das Plugin wirkt sich nur aus, wenn bei der Permalinstruktur &#8220;<em>Basierend auf Datum und Name</em>&#8221; aktiviert ist."
>       ["Author"]=>
>       string(79) "<a href="http://otaku42.de/" title="Visit author homepage">Michael Renzmann</a>"
>       ["Version"]=>
>       string(5) "0.2.0"
>     }
>     ["wp-pagesnav/wp-pagesnav.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(7) "PageNav"
>       ["Title"]=>
>       string(88) "<a href="http://www.adsworth.info/wp-pagesnav" title="Visit plugin homepage">PageNav</a>"
>       ["Description"]=>
>       string(18) "Header Navigation."
>       ["Author"]=>
>       string(80) "<a href="http://www.adsworth.info/" title="Visit author homepage">Adi Sieker</a>"
>       ["Version"]=>
>       string(5) "0.0.1"
>     }
>     ["post_notification/post_notification.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(17) "Post Notification"
>       ["Title"]=>
>       string(104) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Post Notification</a>"
>       ["Description"]=>
>       string(74) "Sends an email to all subscribers. See readme or instructions for details."
>       ["Author"]=>
>       string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
>       ["Version"]=>
>       string(8) "1.2.rc 5"
>     }
>     ["PN_mailfix.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(25) "Post Notification Mailfix"
>       ["Title"]=>
>       string(112) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Post Notification Mailfix</a>"
>       ["Description"]=>
>       string(54) "Fixes problems sending HTML-mails - Only for WP 2.2.x!"
>       ["Author"]=>
>       string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
>       ["Version"]=>
>       string(5) "1.2.1"
>     }
>     ["timezone.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(9) "Time Zone"
>       ["Title"]=>
>       string(92) "<a href="http://kimmo.suominen.com/sw/timezone/" title="Visit plugin homepage">Time Zone</a>"
>       ["Description"]=>
>       string(136) "Automatische Umstellung von Sommerzeit auf Winterzeit. Einstellungen k&ouml;nnen unter: Optionen &raquo; Time Zone ge&auml;ndert werden."
>       ["Author"]=>
>       string(85) "<a href="http://kimmo.suominen.com/" title="Visit author homepage">Kimmo Suominen</a>"
>       ["Version"]=>
>       string(3) "2.1"
>     }
>     ["update-monitor.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(14) "Update-Monitor"
>       ["Title"]=>
>       string(78) "<a href="http://blogshop.de/" title="Visit plugin homepage">Update-Monitor</a>"
>       ["Description"]=>
>       string(133) "Stay informed about new WordPress releases. <em>Powered by <a href="http://wordpress-deutschland.org">WordPress Deutschland</a></em>."
>       ["Author"]=>
>       string(79) "<a href="http://blogshop.de/" title="Visit author homepage">Olaf A. Schmitz</a>"
>       ["Version"]=>
>       string(3) "1.3"
>     }
>     ["wp-db-backup.php"]=>
>     array(5) {
>       ["Name"]=>
>       string(25) "WordPress Database Backup"
>       ["Title"]=>
>       string(105) "<a href="http://www.skippy.net/blog/plugins/" title="Visit plugin homepage">WordPress Database Backup</a>"
>       ["Description"]=>
>       string(44) "On-demand backup of your WordPress database."
>       ["Author"]=>
>       string(80) "<a href="http://www.skippy.net/" title="Visit author homepage">Scott Merrill</a>"
>       ["Version"]=>
>       string(3) "1.8"
>     }
>   }
>   ["active"]=>
>   array(3) {
>     [0]=>
>     string(12) "locktest.php"
>     [1]=>
>     string(39) "post_notification/post_notification.php"
>     [2]=>
>     string(27) "wp-pagesnav/wp-pagesnav.php"
>   }
> }
>
>
>
>   



More information about the wp-hackers mailing list