[wp-trac] [WordPress Trac] #18201: Verify updates with md5 checks
WordPress Trac
noreply at wordpress.org
Tue Sep 3 14:30:02 UTC 2013
#18201: Verify updates with md5 checks
-----------------------------+------------------
Reporter: nacin | Owner:
Type: feature request | Status: new
Priority: low | Milestone: 3.7
Component: Upgrade/Install | Version:
Severity: normal | Resolution:
Keywords: |
-----------------------------+------------------
Comment (by nofearinc):
The way I see the process here is the following (let me know if it's way
out of line or there is a better way to approach it):
1. Verify for PHP compiled with OpenSSL support. If true, check for
sha1_file or md5_file functions locally. Then perform the
`get_core_updates` or `find_core_update` functions to fetch the updates,
get the right update. Download the file, check the checksum, extract the
content and perform to update the WordPress. If the update fails, check
whether the file has already been downloaded (important for large servers
with thousands of WordPress installs) and work with it instead (otherwise
download again).
2. If PHP isn't compiled with OpenSSL support, then check for SSL support
in system curl/wget calls. Perform system download/update with the root CA
certificate bundled in WordPress. Then verify and install as described in
1.
3. If SSL is not installed at all, perform basic HTTP download with PHP or
wget/curl and update accordingly.
Best practice in different platforms/tools is providing two checksums
(both md5 and sha1) from the vendor (in version.php or some other new URL
on wordpress.org) as md5 or sha1 might not be available on the server.
Does it sound feasible and would we need to apply core updates in the
WP_Http class or other update functions from `wp-
admin/includes/update.php` in addition to the autoupdater itself?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18201#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list