WordPress.org

Making WordPress.org

Opened 7 months ago

Last modified 5 weeks ago

#5747 new task

Block plugins using invalid `Update URI` headers

Reported by: dd32 Owned by:
Milestone: Priority: normal
Component: Plugin Directory Keywords:
Cc:

Description

WordPress Core now supports the Update URI header for plugins, initial support was added to the update checks in r16912-dotorg, but now we need to ensure that Plugin updates served from WordPress.org never have that header set to either a) an invalid url or b) a URI which is not the W.org hosted plugin.

There are two benefits of the header:

  1. Plugins which are not hosted on W.org can state that, and a future plugin using the same slug won't override it
  2. The slug can be determined on W.org much easier, if the plugin defines it. We don't need to compare the slug/name/author/etc in order to find the right plugin.

The header formats which should be supported for hosted plugins should be either:

  • https://wordpress.org/plugins/$slug/
  • w.org/plugins/$slug
  • Not set

The first is the URL to the public page for the plugin, the second is the id attribute exposed in the update check response. The ID here once was the post ID but I changed it a few years ago.

Anything that is not those two formats, should cause the plugin import on WordPress.org to be aborted, and for that update to never be served from WordPress.org.

An example of this is, ACME Inc commits an update containing:

Plugin Name: ACME Widgets
Author: ACME Inc
Update URI: https://github.com/acme/widgets

That should NOT be packaged and/or served by WordPress.org, the commit should simply be ignored until corrected.

See https://core.trac.wordpress.org/changeset/50921 & r16912-dotorg for the API code

Change History (5)

#1 @dd32
7 months ago

  • Summary changed from Block plugins using `Update URI` to Block plugins using invalid `Update URI` headers

This ticket was mentioned in Slack in #docs by dd32. View the logs.


7 months ago

#3 follow-up: @joyously
7 months ago

Will it check that the slug given matches the slug of the plugin, so it's not pointing to another WP plugin?

#4 in reply to: ↑ 3 @dd32
7 months ago

Replying to joyously:

Will it check that the slug given matches the slug of the plugin, so it's not pointing to another WP plugin?

Yes, that's the intention of this paragraph, I assumed that it would be assumed that the $slug would be the given plugins slug.

The header formats which should be supported for hosted plugins should be either:

Last edited 7 months ago by dd32 (previous) (diff)

This ticket was mentioned in Slack in #meta by tellyworth. View the logs.


5 weeks ago

Note: See TracTickets for help on using tickets.