Ticket #46615: 46615.3.diff

src/wp-admin/includes/class-core-upgrader.php

@@ -121 +121 @@
                         return new WP_Error( 'locked', $this->strings['locked'] );
                 }
 
-                $download = $this->download_package( $current->packages->$to_download );
+                $download = $this->download_package( $current->packages->$to_download, true );
 
                 // Allow for signature soft-fail.
                 // WARNING: This may be removed in the future.

src/wp-admin/includes/class-wp-upgrader.php

@@ -244 +244 @@
          *
          * @since 2.8.0
          *
-         * @param string $package The URI of the package. If this is the full path to an
-         *                        existing local file, it will be returned untouched.
+         * @param string $package          The URI of the package. If this is the full path to an
+         *                                 existing local file, it will be returned untouched.
+         * @param bool   $check_signatures Whether to validate file signatures. Default false.
          * @return string|WP_Error The full path to the downloaded package file, or a WP_Error object.
          */
-        public function download_package( $package ) {
+        public function download_package( $package, $check_signatures = false ) {
 
                 /**
                  * Filters whether to return the package.
@@ -275 +276 @@
 
                 $this->skin->feedback( 'downloading_package', $package );
 
-                $download_file = download_url( $package, 300, true );
+                $download_file = download_url( $package, 300, $check_signatures );
 
                 if ( is_wp_error( $download_file ) && ! $download_file->get_error_data( 'softfail-filename' ) ) {
                         return new WP_Error( 'download_failed', $this->strings['download_failed'], $download_file->get_error_message() );
@@ -730 +731 @@
                  * Download the package (Note, This just returns the filename
                  * of the file if the package is a local file)
                  */
-                $download = $this->download_package( $options['package'] );
+                $download = $this->download_package( $options['package'], true );
 
                 // Allow for signature soft-fail.
                 // WARNING: This may be removed in the future.

src/wp-admin/includes/file.php

@@ -968 +968 @@
  * @since 2.5.0
  * @since 5.2.0 Signature Verification with SoftFail was added.
  *
- * @param string $url                The URL of the file to download.
- * @param int    $timeout            The timeout for the request to download the file. Default 300 seconds.
- * @param bool   $signature_softfail Whether to allow Signature Verification to softfail. Default true.
+ * @param string $url                    The URL of the file to download.
+ * @param int    $timeout                The timeout for the request to download the file. Default 300 seconds.
+ * @param bool   $signature_verification Whether to perform Signature Verification. Default false.
  * @return string|WP_Error Filename on success, WP_Error on failure.
  */
-function download_url( $url, $timeout = 300, $signature_softfail = true ) {
+function download_url( $url, $timeout = 300, $signature_verification = false ) {
         //WARNING: The file is not automatically deleted, The script must unlink() the file.
         if ( ! $url ) {
                 return new WP_Error( 'http_no_url', __( 'Invalid URL Provided.' ) );
@@ -1037 +1037 @@
                 }
         }
 
-        /**
-         * Filters the list of hosts which should have Signature Verification attempted on.
-         *
-         * @since 5.2.0
-         *
-         * @param array List of hostnames.
-         */
-        $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
-        $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true );
+        // If the caller expects signature verification to occur, check to see if this URL supports it.
+        if ( $signature_verification ) {
+                /**
+                 * Filters the list of hosts which should have Signature Verification attempteds on.
+                 *
+                 * @since 5.2.0
+                 *
+                 * @param array List of hostnames.
+                 */
+                $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
+                $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true );
+        }
 
-        // Perform the valiation
+        // Perform signature valiation if supported.
         if ( $signature_verification ) {
                 $signature = wp_remote_retrieve_header( $response, 'x-content-signature' );
                 if ( ! $signature ) {
@@ -1075 +1078 @@
                          * @param bool   $signature_softfail If a softfail is allowed.
                          * @param string $url                The url being accessed.
                          */
-                        apply_filters( 'wp_signature_softfail', $signature_softfail, $url )
+                        apply_filters( 'wp_signature_softfail', true, $url )
                 ) {
                         $signature_verification->add_data( $tmpfname, 'softfail-filename' );
                 } else {