[wp-trac] [WordPress Trac] #50455: wp_check_php_version() does not account for backporting and therefore leads to confusing user messages about PHP security
WordPress Trac
noreply at wordpress.org
Tue Jun 23 14:05:01 UTC 2020
#50455: wp_check_php_version() does not account for backporting and therefore leads
to confusing user messages about PHP security
--------------------------------+-----------------------------
Reporter: robert.peake | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 5.4.2
Severity: normal | Keywords:
Focuses: ui, administration |
--------------------------------+-----------------------------
The function wp_check_php_version, which drives the PHP update nag in the
admin, relies on http://api.wordpress.org/core/serve-happy/1.0/ but only
passes in the version of PHP to the API.
This does not account for the security practices of distributions such as
RedHat or CentOS, which apply backporting to the versions of PHP that they
support to maintain older versions as secure:
https://access.redhat.com/security/updates/backporting
As a result, the message is confusing to admin users who are unaware of
the underlying operating system in use or of backporting.
OS distribution types are easily discovered in PHP, and could be passed to
the API to check whether backporting were in place to suppress the nag.
While it is possible to use remove_meta_box on a case-by-case basis, it
would be better if this were supported by core, i.e. a misleading message
were not displayed in the first place, rather than special measures being
taken to suppress it.
RedHat and CentOS together represent 20% market share of all linux
distributions, and linux represents the vast majority of web servers
running WordPress. This is therefore a widespread issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50455>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list