WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 8 months ago

#22898 closed defect (bug) (wontfix)

No validation of update_plugins site transient

Reported by: warrenholmes Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.3
Component: Plugins Keywords: has-patch needs-testing
Focuses: Cc:

Description

When retreiving available plugin updates, no checks are done on update_plugins site transient. Adding a filter on pre_set_site_transient_update_plugins means any developer can modify the update_plugins transient for a plugin to contain incorrect data.

The attached diff has code which is 'reactive', but performs the minimal checks.

This has been tested on trunk.

Attachments (1)

update.diff (1.0 KB) - added by warrenholmes 3 years ago.

Download all attachments as: .zip

Change History (4)

@warrenholmes3 years ago

comment:1 @dd323 years ago

  • Keywords close added

In my mind, this is a non-issue, If a plugin is modifying the data, it needs to ensure that the data is in the correct format.

All this change will do is silence any warnings the developer would have seen.

Beyond adding items (and using the correct format), or unsetting items, no plugin should be modifying the data in any other way IMHO.

comment:2 @SergeyBiryukov3 years ago

  • Version changed from trunk to 2.3

comment:3 @DrewAPicture8 months ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I agree with Dion in comment:1. Closing as wontfix.

Note: See TracTickets for help on using tickets.