WordPress.org

Making WordPress.org

Changes between Initial Version and Version 1 of Ticket #4661, comment 5


Ignore:
Timestamp:
08/07/2019 05:52:41 PM (2 years ago)
Author:
KestutisIT
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #4661, comment 5

    initial v1  
    1 @Ipstenu - thanks for clearing this up. As I have a partnership with PayPal and did many PayPal integrations, I can confirm that the most secure way for this, is to generate SHA2-512 or RSA *.cert file for each plugin after it is released and keep that file in plugins folder. The cert will ensure that request is coming from that exact plugin. It should be an URL of W.org and plugin's admin dashboard image icon checksum or Plugin/Plugin.php (main file with meta description) or just a meta description checksum. It won't be a checksum of whole zip, but at least of that one thing it could be. Otherwise I can how hack any plugin of W.org putting there random information and submitting to report, even maybe '1.0-EVIL' version to i.e. bbPress. And this will be see on reports screen for everyone, as I can print there any message I want with version as long as it match the Semver rule, and Semver allows to name the release. So that's a security risk.
     1@Ipstenu - thanks for clearing this up. As I have a partnership with PayPal and did many PayPal integrations, I can confirm that the most secure way for this, is to generate SHA2-512 or RSA *.cert file for each plugin after it is released and keep that file in plugins folder. The cert will ensure that request is coming from that exact plugin. It should be an URL of W.org and plugin's admin dashboard image icon checksum or Plugin/Plugin.php (main file with meta description) or just a meta description checksum. It won't be a checksum of whole zip, but at least of that one thing it could be. Otherwise I can now hack any plugin of W.org putting there random information and submitting to report, even maybe '1.0-EVIL' version to i.e. bbPress. And this will be see on reports screen for everyone, as I can print there any message I want with version as long as it match the Semver rule, and Semver allows to name the release. So that's a security risk.