[wp-meta] [Making WordPress.org] #5868: Improve checks on non-viable plugin names to prevent abuse
Making WordPress.org
noreply at wordpress.org
Tue Aug 17 20:36:51 UTC 2021
#5868: Improve checks on non-viable plugin names to prevent abuse
------------------------------+--------------------
Reporter: Ipstenu | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Keywords:
------------------------------+--------------------
Currently the plugin directory code has a very basic check for disallowed
terms in plugin names, including a number of restricted terms as
determined by trademark owners. This has the flaw of 'lumping together'
reasons why a plugin name is not permitted, causing confusion to the
community.
This check ONLY happens on initial submission.
The code is found in
https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html
/wp-content/plugins/plugin-directory/shortcodes/class-upload-handler.php
First we check for reserved slugs (aka permalinks that if used could break
the .org system in weird ways):
https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html
/wp-content/plugins/plugin-directory/shortcodes/class-upload-
handler.php#L388
Then we check for trademarked terms (and this is where our trouble
begins):
https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html
/wp-content/plugins/plugin-directory/shortcodes/class-upload-
handler.php#L430
If you read down that list, you'll see we not only prohibit terms like
'wordpress' but also 'wordpess' and 'wpress' and (sadly) 'wp-'
This is due to people getting 'clever' when they receive the error
messages and trying to work around the block.
However. The additional reason we flag 'wp-' is that a high percentage of
people use it and don't realize that they _can't_ use "WordPress" later on
in their display name. So they'll submit "WP PluginName" and, after
approval, change it to "WordPress PluginName" which is clearly not okay.
This results in subsequent plugin closures due to valid trademark
violations.
On the other hand, we don't block "wc-" and at least once a day we're
forced to pend a plugin review to make it clear that they cannot use "WC"
in lieu of WooCommerce in names, and please don't replace it.
Both methods have flaws. Both methods result in people violating
trademarks down the road. Neither actually seem to make a dent on people
using trademarked logos in banners and icons, though that make be a lost
cause.
The only real way to block the misuse once approved would be via SVN
commit hooks, however there may not be an easy way to flag the allowed
list (see
https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html
/wp-content/plugins/plugin-directory/shortcodes/class-upload-
handler.php#L522 for an example of how we check on submit).
A possible middle ground would be to have a list of 'probably going to be
abused' terms (like wp- or wc-) and change the automated 'your submission
has been received' email (and the output on the page) to make it clear:
"Your plugin begins with a term that can be commonly misused. Please
remember that while the use of [term] is permitted in your plugin names,
it should not be the FIRST term of your display name. If later on you
change your plugin name to infringe on trademarks, your plugin will be
closed without prior notice."
(Needs work - I don't know that it's clear that 'if you make your plugin
start with WordPress, you're gonna have a bad time' is what we mean...
maybe an array of the slug term and the actual name we're trying to
prevent?)
And that doesn't really touch on how to prevent abuse after approval :( We
use SVN so that would need someone with amazing SVN chops to dig into.
At this point, my brilliance fails me so I ask for help coming up with
something that can stem the tide. My ultimate goal is to never have to
close another plugin for trademark abuse again, because no one would
violate them.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5868>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list