[wp-trac] [WordPress Trac] #46615: Updates: No package signature can cause updates to fail
WordPress Trac
noreply at wordpress.org
Mon Mar 25 05:51:38 UTC 2019
#46615: Updates: No package signature can cause updates to fail
-------------------------------------+---------------------
Reporter: pento | Owner: (none)
Type: defect (bug) | Status: new
Priority: highest omg bbq | Milestone: 5.2
Component: Upgrade/Install | Version: trunk
Severity: blocker | Resolution:
Keywords: needs-testing has-patch | Focuses:
-------------------------------------+---------------------
Comment (by dd32):
Replying to [comment:8 pento]:
> @dd32: Nice work! Do you have thoughts on the second part of this
problem?
>
> > This will likely also cause issues with plugins that rely on
`WP_Upgrader::download_package()` to return the download package file name
when it can continue, and a `WP_Error` when it cannot
([https://plugins.trac.wordpress.org/browser/worker/trunk/src/MMB/Installer.php#L476
example]).
We're a little protected here in that currently a softfail is only
returned for WordPress.org domains, so something updating from github for
example wouldn't hit this scenario unless they'd enabled verification (or
another plugin had).
I don't know how often a 3rd party updater would be calling
`WP_Upgrader::download_package()` without also running it through
`WP_Upgrader::run()`, That's really not something that should be done IMHO
(Core_Upgrader is a.. special case).
However, there's also the case of someone calling `download_url()`
directly for a WordPress.org domain (or other signed domain) where that is
also now likely to return an unexpected WP_Error.
One options is to disable the signature verification for both
`WP_Upgrader::download_package()` and `download_url()` by default as long
as we're supporting a `softfail`. [attachment:"46615.2.diff"] does that
(But it's mostly untested).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46615#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list