[wp-trac] [WordPress Trac] #42255: Security Notice: Plugin Contributor Change
WordPress Trac
noreply at wordpress.org
Tue Oct 17 23:19:50 UTC 2017
#42255: Security Notice: Plugin Contributor Change
-------------------------+-----------------------------
Reporter: blobfolio | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
Software updates are wonderful, but sometimes a good plugin gets sold to a
bad person (https://make.wordpress.org/meta/handbook/about/get-involved
/learn-how-to-contribute-code/) who might then do bad things with it.
A simple way to help mitigate this would be to add a notice to the plugins
and updates screens indicating if the remote contributor(s) differ from
the locally-installed ones. That way users can take extra precautions
before updating that they might not otherwise do.
This could either be done by caching the contributor values from routine
plugins API calls (and handling differences as they happen), or by parsing
that information from local copies of each plugin's `readme.txt` file.
The latter will probably be a bit more consistent (always local<->remote),
particularly for users who only log in once per year, but I'll test both
to see if there are any performance issues, etc., to weigh in.
I'll get an initial patch together soon. I just wanted to start a ticket
for reference. :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42255>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list