diff --git a/src/wp-admin/includes/class-core-upgrader.php b/src/wp-admin/includes/class-core-upgrader.php
index bef173c23b..977f6ec9c6 100644
a
|
b
|
class Core_Upgrader extends WP_Upgrader { |
121 | 121 | return new WP_Error( 'locked', $this->strings['locked'] ); |
122 | 122 | } |
123 | 123 | |
124 | | $download = $this->download_package( $current->packages->$to_download ); |
| 124 | $download = $this->download_package( $current->packages->$to_download, true ); |
125 | 125 | |
126 | 126 | // Allow for signature soft-fail. |
127 | 127 | // WARNING: This may be removed in the future. |
diff --git a/src/wp-admin/includes/class-wp-upgrader.php b/src/wp-admin/includes/class-wp-upgrader.php
index 7fbecbae0d..cd41df8b9f 100644
a
|
b
|
class WP_Upgrader { |
246 | 246 | * |
247 | 247 | * @param string $package The URI of the package. If this is the full path to an |
248 | 248 | * existing local file, it will be returned untouched. |
| 249 | * @param bool $check_signatures Whether to validate signatures. Default false. |
249 | 250 | * @return string|WP_Error The full path to the downloaded package file, or a WP_Error object. |
250 | 251 | */ |
251 | | public function download_package( $package ) { |
| 252 | public function download_package( $package, $check_signatures = false ) { |
252 | 253 | |
253 | 254 | /** |
254 | 255 | * Filters whether to return the package. |
… |
… |
class WP_Upgrader { |
275 | 276 | |
276 | 277 | $this->skin->feedback( 'downloading_package', $package ); |
277 | 278 | |
278 | | $download_file = download_url( $package, 300, true ); |
| 279 | $download_file = download_url( $package, 300, ( $check_signatures ? true : null ) ); |
279 | 280 | |
280 | 281 | if ( is_wp_error( $download_file ) && ! $download_file->get_error_data( 'softfail-filename' ) ) { |
281 | 282 | return new WP_Error( 'download_failed', $this->strings['download_failed'], $download_file->get_error_message() ); |
… |
… |
class WP_Upgrader { |
730 | 731 | * Download the package (Note, This just returns the filename |
731 | 732 | * of the file if the package is a local file) |
732 | 733 | */ |
733 | | $download = $this->download_package( $options['package'] ); |
| 734 | $download = $this->download_package( $options['package'], true ); |
734 | 735 | |
735 | 736 | // Allow for signature soft-fail. |
736 | 737 | // WARNING: This may be removed in the future. |
diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php
index 11e5f9231f..f01d091e76 100644
a
|
b
|
function wp_handle_sideload( &$file, $overrides = false, $time = null ) { |
970 | 970 | * |
971 | 971 | * @param string $url The URL of the file to download. |
972 | 972 | * @param int $timeout The timeout for the request to download the file. Default 300 seconds. |
973 | | * @param bool $signature_softfail Whether to allow Signature Verification to softfail. Default true. |
| 973 | * @param bool $signature_softfail Whether to allow Signature Verification to softfail. Default null (No verification performed). |
974 | 974 | * @return string|WP_Error Filename on success, WP_Error on failure. |
975 | 975 | */ |
976 | | function download_url( $url, $timeout = 300, $signature_softfail = true ) { |
| 976 | function download_url( $url, $timeout = 300, $signature_softfail = null ) { |
977 | 977 | //WARNING: The file is not automatically deleted, The script must unlink() the file. |
978 | 978 | if ( ! $url ) { |
979 | 979 | return new WP_Error( 'http_no_url', __( 'Invalid URL Provided.' ) ); |
… |
… |
function download_url( $url, $timeout = 300, $signature_softfail = true ) { |
1045 | 1045 | * @param array List of hostnames. |
1046 | 1046 | */ |
1047 | 1047 | $signed_hostnames = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) ); |
1048 | | $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true ); |
| 1048 | $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true ) && ! is_null( $signature_softfail ); |
1049 | 1049 | |
1050 | 1050 | // Perform the valiation |
1051 | 1051 | if ( $signature_verification ) { |