[wp-meta] [Making WordPress.org] #5747: Block plugins using `Update URI`

Making WordPress.org noreply at wordpress.org
Tue May 25 03:11:28 UTC 2021 

#5747: Block plugins using `Update URI`
------------------------------+--------------------
 Reporter:  dd32              |      Owner:  (none)
     Type:  task              |     Status:  new
 Priority:  normal            |  Milestone:
Component:  Plugin Directory  |   Keywords:
------------------------------+--------------------
 WordPress Core now supports the `Update URI` header for plugins, initial
 support was added to the update checks in r16912-dotorg, but now we need
 to ensure that Plugin updates served from WordPress.org never have that
 header set to either a) an invalid url or b) a URI which is not the W.org
 hosted plugin.

 There are two benefits of the header:
 1. Plugins which are not hosted on W.org can state that, and a future
 plugin using the same slug won't override it
 2. The slug can be determined on W.org much easier, if the plugin defines
 it. We don't need to compare the slug/name/author/etc in order to find the
 right plugin.

 The header formats which should be supported for hosted plugins should be
 either:
  - `https://wordpress.org/plugins/$slug/`
  - `w.org/plugins/$slug`
  - Not set

 The first is the URL to the public page for the plugin, the second is the
 `id` attribute exposed in the update check response. The ID here once was
 the post ID but I changed it a few years ago.

 Anything that is not those two formats, should cause the plugin import on
 WordPress.org to be aborted, and for that update to never be served from
 WordPress.org.

 An example of this is, ACME Inc commits an update containing:
 {{{
 Plugin Name: ACME Widgets
 Author: ACME Inc
 Update URI: https://github.com/acme/widgets
 }}}
 That should NOT be packaged and/or served by WordPress.org, the commit
 should simply be ignored until corrected.

 See https://core.trac.wordpress.org/changeset/50921 & r16912-dotorg for
 the API code

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/5747>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list