Index: wp-admin/includes/class-wp-upgrader.php
===================================================================
--- wp-admin/includes/class-wp-upgrader.php	(revision 17692)
+++ wp-admin/includes/class-wp-upgrader.php	(working copy)
@@ -389,11 +389,24 @@
 		$this->strings['process_success'] = __('Plugin installed successfully.');
 	}
 
-	function install($package) {
+	function install($package, $referer = '') {
 
 		$this->init();
 		$this->install_strings();
 
+		// Malware check
+		if ( false !== strpos($package, '://') ) {
+			$malware = wp_passes_malware_check($package, $referer);
+			if ( is_wp_error($malware) ) {;
+				//$this->skin->header();
+				$this->skin->before();
+				$this->skin->error( $malware );
+				$this->skin->after();
+				//$this->skin->footer();
+				return $malware;
+			}
+		}
+
 		$this->run(array(
 					'package' => $package,
 					'destination' => WP_PLUGIN_DIR,
Index: wp-admin/includes/plugin-install.php
===================================================================
--- wp-admin/includes/plugin-install.php	(revision 17692)
+++ wp-admin/includes/plugin-install.php	(working copy)
@@ -136,10 +136,8 @@
 /**
  * Upload from zip
  * @since 2.8.0
- *
- * @param string $page
  */
-function install_plugins_upload( $page = 1 ) {
+function install_plugins_upload() {
 ?>
 	<h4><?php _e('Install a plugin in .zip format') ?></h4>
 	<p class="install-help"><?php _e('If you have a plugin in a .zip format, you may install it by uploading it here.') ?></p>
@@ -151,9 +149,33 @@
 	</form>
 <?php
 }
-add_action('install_plugins_upload', 'install_plugins_upload', 10, 1);
+add_action('install_plugins_upload', 'install_plugins_upload');
 
 /**
+ * Sideload from arbitrary URL
+ * @since 3.1.0
+ */
+function install_plugins_url() {
+	$url = !empty($_GET['url']) ? stripslashes($_GET['url']) : '';
+?>
+	<h4><?php _e('Install a plugin from a URL') ?></h4>
+	<p class="install-help"><?php _e('If you have the URL to a plugin in .zip format, you may install it by providing the URL here.') ?></p>
+	<?php
+	if ( !empty($url) ) {
+		
+	}
+	?>
+	<form method="post" action="<?php echo self_admin_url('update.php?action=sideload-plugin') ?>">
+		<?php wp_nonce_field( 'plugin-sideload' ) ?>
+		<label class="screen-reader-text" for="pluginzip"><?php _e('URL to Plugin zip file'); ?></label>
+		<input type="input" type="text" class="large-text" id="pluginurl" name="pluginurl" value="<?php echo esc_attr($url); ?>" />
+		<input type="submit" class="button" value="<?php esc_attr_e('Install Now') ?>" />
+	</form>
+<?php
+}
+add_action('install_plugins_url', 'install_plugins_url');
+
+/**
  * Display plugin content based on plugin list.
  *
  * @since 2.7.0
Index: wp-admin/includes/update.php
===================================================================
--- wp-admin/includes/update.php	(revision 17692)
+++ wp-admin/includes/update.php	(working copy)
@@ -309,4 +316,48 @@
 }
 add_action( 'admin_notices', 'maintenance_nag' );
 
+/**
+ * Runs a supplied URL against the WordPress Malware checking API.
+ *
+ * The WordPress.org Malware checking API is designed to block known spam sites, These sites might for
+ * example, either provide themes/plugins which insert hidden links, or insert backdoors into themes/plugins.
+ *
+ * A Filter is available for sites/plugins to extend upon this API check, 'malware_check_api' and should return
+ * the same values as expexted from this function.
+ * This function will also check if the URL redirects to another site, and run that through the malware checking API as well.
+ *
+ * @param string $url The URL to check against
+ * @param string $ref The Referer of who has asked for the item to be installed
+ * @return bool|object True on success, WP_Error instance upon failure
+ */
+function wp_passes_malware_check($url, $ref = '') {
+	$_url = parse_url($url);
+	if ( !$_url || empty($_url['host']) || empty($_url['path']) )
+		return new WP_Error('invalid_url', __('An invalid URL was passed'));
+
+	// First check if this URL is a redirection
+	$site = wp_remote_head($url, array( 'timeout' => 10 ) );
+	if ( ! is_wp_error($site) && isset($site['headers']['location']) ) // If it is, Save an API call and check the redirection directly
+		return wp_passes_malware_check($site['headers']['location']);
+
+	if ( ! empty( $ref ) )
+		$ref = '&ref=' . urlencode($ref);
+
+	$api = wp_remote_get('http://api.wordpress.org/themes/malware-check/1.0/?url=' . urlencode($url) . $ref, array( 'timeout' => 10 ) );
+	if ( is_wp_error($api) )
+		return $api;
+
+	switch ( $api['body'] ) {
+		default: // default: The response was malformed, This could be raised by a faulty proxy or intercepted request (..or .org server failure)
+		case '-1': //  unknown URL. This URL should never have reached the API.
+			return new WP_Error('invalid_url', __('An invalid URL was passed'));
+
+		case '0': // blacklisted URL.
+			return new WP_Error('blacklisted_malware', sprintf(__("The URL specified has been blacklisted by WordPress.org's Malware checking service due to security concerns, Please see the <a href='%s'>Codex</a> for more information."), 'http://codex.wordpress.org/spammy_themes_and_plugins') ); //@TODO Codex link & Wording.
+
+		case '1': // Passes the checks.
+			return apply_filters('malware_check_api', true, $url);
+	}
+}
+
 ?>
Index: wp-admin/update.php
===================================================================
--- wp-admin/update.php	(revision 17692)
+++ wp-admin/update.php	(working copy)
@@ -113,7 +113,7 @@
 
 		$type = 'web'; //Install plugin type, From Web or an Upload.
 
-		$upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('title', 'url', 'nonce', 'plugin', 'api') ) );
+		$upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('type', 'title', 'url', 'nonce', 'plugin', 'api') ) );
 		$upgrader->install($api->download_link);
 
 		include(ABSPATH . 'wp-admin/admin-footer.php');
@@ -142,6 +142,30 @@
 
 		include(ABSPATH . 'wp-admin/admin-footer.php');
 
+	} elseif ( 'sideload-plugin' == $action ) {
+
+		if ( ! current_user_can('install_plugins') )
+			wp_die(__('You do not have sufficient permissions to install plugins for this site.'));
+
+		check_admin_referer('plugin-sideload');
+
+		$download_url = esc_url_raw( stripslashes( $_POST['pluginurl'] ) );
+
+		$title = __('Plugin Install');
+		$parent_file = 'plugins.php';
+		$submenu_file = 'plugin-install.php';
+		require_once(ABSPATH . 'wp-admin/admin-header.php');
+
+		$title = sprintf( __('Installing Plugin from URL: %s'), $download_url );
+		$nonce = 'plugin-sideload';
+		$url = 'update.php?action=sideload-plugin&pluginurl=' . urlencode( stripslashes( $_POST['pluginurl'] ) );
+		$type = 'web';
+
+		$upgrader = new Plugin_Upgrader( new Plugin_Installer_Skin( compact('type', 'title', 'url', 'nonce') ) );
+		$upgrader->install( $download_url );
+
+		include(ABSPATH . 'wp-admin/admin-footer.php');
+
 	} elseif ( 'upgrade-theme' == $action ) {
 
 		if ( ! current_user_can('update_themes') )
@@ -213,7 +237,7 @@
 		$url = 'update.php?action=install-theme&theme=' . $theme;
 		$type = 'web'; //Install theme type, From Web or an Upload.
 
-		$upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('title', 'url', 'nonce', 'plugin', 'api') ) );
+		$upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('type', 'title', 'url', 'nonce', 'theme', 'api') ) );
 		$upgrader->install($api->download_link);
 
 		include(ABSPATH . 'wp-admin/admin-footer.php');
@@ -237,7 +261,7 @@
 		$title = sprintf( __('Installing Theme from uploaded file: %s'), basename( $file_upload->filename ) );
 		$nonce = 'theme-upload';
 		$url = add_query_arg(array('package' => $file_upload->filename), 'update.php?action=upload-theme');
-		$type = 'upload'; //Install plugin type, From Web or an Upload.
+		$type = 'upload'; //Install theme type, From Web or an Upload.
 
 		$upgrader = new Theme_Upgrader( new Theme_Installer_Skin( compact('type', 'title', 'nonce', 'url') ) );
 		$upgrader->install( $file_upload->package );