Opened 5 months ago
Last modified 5 months ago
#22898 new defect (bug)
No validation of update_plugins site transient
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | Plugins | Version: | 2.3 |
| Severity: | normal | Keywords: | has-patch needs-testing close |
| Cc: |
Description
When retreiving available plugin updates, no checks are done on update_plugins site transient. Adding a filter on pre_set_site_transient_update_plugins means any developer can modify the update_plugins transient for a plugin to contain incorrect data.
The attached diff has code which is 'reactive', but performs the minimal checks.
This has been tested on trunk.
Attachments (1)
Change History (3)
warrenholmes — 5 months ago
comment:2
SergeyBiryukov — 5 months ago
- Version changed from trunk to 2.3
Note: See
TracTickets for help on using
tickets.
In my mind, this is a non-issue, If a plugin is modifying the data, it needs to ensure that the data is in the correct format.
All this change will do is silence any warnings the developer would have seen.
Beyond adding items (and using the correct format), or unsetting items, no plugin should be modifying the data in any other way IMHO.