[wp-trac] [WordPress Trac] #16778: wordpress is leaking user/blog information during wp_version_check()

WordPress Trac noreply at wordpress.org
Wed Dec 7 17:11:30 UTC 2016


#16778: wordpress is leaking user/blog information during wp_version_check()
----------------------------+-----------------------
 Reporter:  investici       |       Owner:
     Type:  enhancement     |      Status:  reopened
 Priority:  normal          |   Milestone:
Component:  Administration  |     Version:
 Severity:  minor           |  Resolution:
 Keywords:  has-patch       |     Focuses:
----------------------------+-----------------------

Comment (by Otto42):

 @DvanKooten If you're wanting to not send the number of users or blogs
 back as part of the update request, I would recommend using the
 pre_site_option_blog_count and pre_site_option_user_count filters to
 simply return whatever values you want. To make it only apply to the WP
 update check, I'd use the wp_version_check action hook to attach these
 filters. Like so:

 {{{
 add_action( 'wp_version_check', 'falsify_user_blog_count', 1 );
 function falsify_user_blog_count() {
         add_action( 'pre_site_option_blog_count', '__return_zero' );
         add_action( 'pre_site_option_user_count', '__return_zero' );
 }
 }}}

 Essentially this preempts the data sent back, making it send zeros for
 that data instead. By hooking to wp_version_check action with a priority
 of 1, your actions connect before the data is retrieved in the
 wp_version_check function, and won't be connected the rest of the time
 (like when you're looking at the network dashboard). Since the
 wp_version_check action is fired via wp-cron, it's not fired in the main
 web process at all, and thus can't affect anything else.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/16778#comment:69>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list