[wp-trac] [WordPress Trac] #31104: Plugin activation includes plugin file in variable scope of activate_plugin

WordPress Trac noreply at wordpress.org
Fri Jan 23 06:57:18 UTC 2015 

#31104: Plugin activation includes plugin file in variable scope of activate_plugin
--------------------------+-----------------------------
 Reporter:  Mike_Cowobo   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Plugins       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 When a plugin is activated, it is included in `activate_plugin`, with
 access to the variable scope of `activate_plugin`. This caused a problem
 with `$plugin` in #28102, and was fixed in [28644], but the other
 variables that are used in the function (`$current`, `$silent` and
 `$network_wide`) can still potentially cause problems.

 Overriding `$current` and `$network_wide`, a plugin could potentially
 deactivate all active plugins on activation or activate itself network
 wide when activated per-site (or vice-versa).

 It's not hard to imagine plugins using those var names in the main plugin
 file. To illustrate, here is an example of a broken plugin file:

 {{{
 <?php
 /*
 Plugin Name: Broken Plugin
 Plugin URI: http://example.com
 Description: This plugin breaks things when it is activated
 Version: 0.1
 Author: Your Name
 Author URI: http://example.com
 */

 // Is this a network install?
 $network_wide = is_multisite(); // EFFECT: Will turn a per-site activation
 into a multisite activation

 $defaults = array( "my-option" => 1 );

 foreach( $defaults as $option => $current ) {

     if ( !get_option( $option ) ) {
         add_option( $option, $current );
     }

 } // EFFECT: $current is now '1'. This deactivates ALL active plugins.

 }}}

 Though the occurrence will be rare, these side-effect can be hard to debug
 for a plugin developer. Instead of saving the variable in a shadow var
 like in [28644], it can be easily and definitively fixed by calling the
 include from a separate function, so the variable scope of activate_plugin
 is simply out of reach. I have attached a patch. With the patch, the
 broken plugin above loses all side-effects.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31104>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list