[wp-meta] [Making WordPress.org] #5747: Block plugins using `Update URI`
Making WordPress.org
noreply at wordpress.org
Tue May 25 03:11:28 UTC 2021
#5747: Block plugins using `Update URI`
------------------------------+--------------------
Reporter: dd32 | Owner: (none)
Type: task | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Keywords:
------------------------------+--------------------
WordPress Core now supports the `Update URI` header for plugins, initial
support was added to the update checks in r16912-dotorg, but now we need
to ensure that Plugin updates served from WordPress.org never have that
header set to either a) an invalid url or b) a URI which is not the W.org
hosted plugin.
There are two benefits of the header:
1. Plugins which are not hosted on W.org can state that, and a future
plugin using the same slug won't override it
2. The slug can be determined on W.org much easier, if the plugin defines
it. We don't need to compare the slug/name/author/etc in order to find the
right plugin.
The header formats which should be supported for hosted plugins should be
either:
- `https://wordpress.org/plugins/$slug/`
- `w.org/plugins/$slug`
- Not set
The first is the URL to the public page for the plugin, the second is the
`id` attribute exposed in the update check response. The ID here once was
the post ID but I changed it a few years ago.
Anything that is not those two formats, should cause the plugin import on
WordPress.org to be aborted, and for that update to never be served from
WordPress.org.
An example of this is, ACME Inc commits an update containing:
{{{
Plugin Name: ACME Widgets
Author: ACME Inc
Update URI: https://github.com/acme/widgets
}}}
That should NOT be packaged and/or served by WordPress.org, the commit
should simply be ignored until corrected.
See https://core.trac.wordpress.org/changeset/50921 & r16912-dotorg for
the API code
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5747>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list