[wp-trac] [WordPress Trac] #50455: wp_check_php_version() does not account for backporting and therefore leads to confusing user messages about PHP security

WordPress Trac noreply at wordpress.org
Tue Jun 23 14:31:37 UTC 2020


#50455: wp_check_php_version() does not account for backporting and therefore leads
to confusing user messages about PHP security
--------------------------+---------------------------------
 Reporter:  robert.peake  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Site Health   |     Version:  5.1
 Severity:  normal        |  Resolution:
 Keywords:  close         |     Focuses:  ui, administration
--------------------------+---------------------------------

Comment (by robert.peake):

 A quick-and-dirty fix could go like this:

 {{{#!php
 <?php
 function backport_remove_php_nag() {
     if (strtolower(substr(PHP_OS, 0, 5)) === 'linux') {
         $files = glob('/etc/*-release');
         $first_file = $files[0];
         $contents = file_get_contents($first_file);
         if (false !== strstr($contents, 'CentOS') || false !==
 strstr($contents, 'RedHat') || false !== strstr($contents, 'Fedora')) {
             remove_meta_box( 'dashboard_php_nag', 'dashboard', 'normal' );
         }
     }
 }
 add_action( 'wp_dashboard_setup', 'backport_remove_php_nag' );
 }}}
 Obviously, you could set a transient so you don't have to open a file with
 every admin page load to find the distro, build out a proper list of
 distros that engage in backporting, and let the API maintain this logic
 rather than using case structure in the code.

 This simple approach assumes that if you encounter a distro that does
 backporting, "all bets are off". It is the hosting provider's job to make
 sure the distro itself is up to date (and therefore any backport updates
 applied).

 I understand your desire to "move PHP usage". But in current form, you are
 telling somewhere on the order of 10-20% of admin users (many of whom have
 no idea what PHP is,which is why you include a description to help them)
 that "WordPress has detected that your site is running on an insecure
 version of PHP."

 In the case of backporting distros, that is clearly misleading, if not a
 bit alarmist. Even just using the above logic to alter the phrasing would
 help countless hosting providers have more rational conversations with
 their customers.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50455#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list