Changeset 13016

Timestamp:

12/06/2023 12:17:52 AM (16 months ago)

Author:

dd32

Message:

Plugin Directory: Import: Do not import plugins containing invalid Update URI headers.

See #5747

File:

• sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/cli/class-import.php (modified) (1 diff)

sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/cli/class-import.php

@@ -86 +86 @@
         $current_stable_tag = get_post_meta( $plugin->ID, 'stable_tag', true ) ?: 'trunk';
         $touches_stable_tag = (bool) array_intersect( [ $stable_tag, $current_stable_tag ], $svn_changed_tags );
+
+        // Validate various headers:
+
+        /*
+         * Check to see if the plugin is using the `Update URI` header.
+         *
+         * Plugins on WordPress.org should NOT use this header, but we do accept some URI formats for it in the API,
+         * so those are allowed to pass here.
+         * Any documentation suggesting that a WordPress.org hosted plugin should use this header is incorrect.
+         */
+        if ( $headers->UpdateURI ) {
+            $update_uri_valid = preg_match( '!^(https?://)?(wordpress.org|w.org)/plugins?/(?P<slug>[^/]+)/?$!i', $headers->UpdateURI, $update_uri_matches );
+            if ( ! $update_uri_valid || $update_uri_matches['slug'] !== $plugin_slug ) {
+                throw new Exception( 'Invalid Update URI header detected: ' . $headers->UpdateURI );
+            }
+        }
 
         // Release confirmation