WordPress.org

Make WordPress Core

Opened 9 months ago

Last modified 34 hours ago

#43992 new task (blessed)

Prevent activation of a plugin if its required PHP version is too high

Reported by: flixos90 Owned by:
Milestone: 5.1 Priority: normal
Severity: major Version:
Component: Plugins Keywords: needs-unit-tests servehappy dev-feedback has-patch
Focuses: Cc:

Description

Note: This ticket is a subtask for the overarching #40934 ticket.

While the plans from #43986 and #43987 will ensure nobody can install or update plugins that require a PHP version higher than the version used, a third step should be to prevent plugin activations of said plugins. It is still possible to just upload plugin directories and then activate them from there. While the above tickets will cover the majority of cases, we should also account for the latter.

A difference between other work and this one would be that here, we need to read the required PHP version from the plugin readme file directly instead from the w.org plugins API.

Attachments (9)

43992.diff (3.6 KB) - added by afragen 2 weeks ago.
Prevents plugin activation if either minimum WP or minimum PHP versions not met.
43992-2.diff (4.2 KB) - added by afragen 13 days ago.
Allow for plugins not in Plugin Directory but containing plugin headers Requires WP and/or Requires PHP
43992-3.diff (5.5 KB) - added by afragen 13 days ago.
Need to add Requires WP and Requires PHP as default plugin headers.
43992-4.diff (5.6 KB) - added by afragen 12 days ago.
Allow for API response to error
43992-5.diff (5.7 KB) - added by afragen 12 days ago.
renamed function and more complete docs
43992-6.diff (5.9 KB) - added by afragen 12 days ago.
Improved error checking of API response
43992-7.diff (5.9 KB) - added by afragen 12 days ago.
fixed docBlock error
43992-8.diff (5.9 KB) - added by afragen 11 days ago.
Reverse logic of validate_plugin_activation() to improve readability
43992-9.diff (5.7 KB) - added by afragen 10 days ago.
fix version_compare so 5.1.10 is greater than 5.1.2 and true

Download all attachments as: .zip

Change History (21)

This ticket was mentioned in Slack in #core-php by flixos90. View the logs.


8 months ago

#2 @Luciano Croce
8 months ago

  • Keywords dev-feedback added
  • Severity changed from normal to major

This ticket is fantastic: i am fully in agreement with it, and at its introduction.

I have introduced this good practice in all my plugins for a long time''

This ticket was mentioned in Slack in #core-php by sergey. View the logs.


8 months ago

#4 @flixos90
3 months ago

  • Milestone changed from 5.0 to 5.1

#5 @afragen
4 weeks ago

This could be something as simple as the following.

add_filter(
	'plugin_action_links',
	function ( $actions, $plugin_file, $plugin_data ) {
		$compatible_php = ( empty( $plugin_data['Requires PHP'] ) || version_compare( substr( phpversion(), 0, strlen( $plugin_data['Requires PHP'] ) ), $plugin_data['Requires PHP'], '>=' ) );
		if ( ! $compatible_php ) {
			unset( $actions['activate'] );
		}
		return $actions;
	},
	10,
	3
);

This needs an extra plugin header Requires PHP and if no header is present will allow activation. This is only for the plugins.php page.

I think it's going to be much more difficult to stop activation from an uploaded plugin via the upload panel.

A more inclusive solution would likely require a filter hook into wp-admin/includes/plugin.php validate_plugin() that passes the plugin's headers.

Just brain dumping.

#6 @afragen
2 weeks ago

I've been working on this and should have a patch ready soon. I'll need help with any unit tests.

Last edited 2 weeks ago by afragen (previous) (diff)

@afragen
2 weeks ago

Prevents plugin activation if either minimum WP or minimum PHP versions not met.

#7 @afragen
2 weeks ago

  • Keywords has-patch added; needs-patch removed

This ticket was mentioned in Slack in #core-php by afragen. View the logs.


2 weeks ago

#9 @afragen
2 weeks ago

@SergeyBiryukov we can reuse the is_compatible_wp() and is_compatible_php() functions in several of the other Servehappy patches.

@afragen
13 days ago

Allow for plugins not in Plugin Directory but containing plugin headers Requires WP and/or Requires PHP

@afragen
13 days ago

Need to add Requires WP and Requires PHP as default plugin headers.

@afragen
12 days ago

Allow for API response to error

@afragen
12 days ago

renamed function and more complete docs

@afragen
12 days ago

Improved error checking of API response

@afragen
12 days ago

fixed docBlock error

#10 @afragen
11 days ago

A difference between other work and this one would be that here, we need to read the required PHP version from the plugin readme file directly instead from the w.org plugins API.

Before we can do this some sort of stripped down version of the dot org class-parser.php will need to be included with core.

Once added it should be simple to swap the internals of get_plugin_validation_data() to use the new local parser and parse the local readme.txt.

@afragen
11 days ago

Reverse logic of validate_plugin_activation() to improve readability

This ticket was mentioned in Slack in #core-php by afragen. View the logs.


11 days ago

@afragen
10 days ago

fix version_compare so 5.1.10 is greater than 5.1.2 and true

#12 @afragen
34 hours ago

We probably need to change milestone to 5.2

Note: See TracTickets for help on using tickets.