Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#52048 assigned enhancement

the functions activate_plugin and deactivate_plugin need validation

Reported by: giuse's profile giuse Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0
Component: Plugins Keywords:
Focuses: Cc:

Description

The function activate_plugin https://core.trac.wordpress.org/browser/tags/5.6/src/wp-admin/includes/plugin.php#L633 would need the validation of the array of plugins before saving it.

For normal installations, the current plugins are taken by

$current = get_option( 'active_plugins', array() );

For multisites they are taken by:
get_site_option( 'active_sitewide_plugins', array() );

Both the result of get_option( 'active_plugins', array() ) and get_site_option( 'active_sitewide_plugins', array() ) can be filtered by plugins, so you can't know if $current is a valid array of plugins.

At least, $current should be unique, so I would add

$current = array_unique( $current );

Then I would also check if the plugin files exist before saving the array of active plugins.

I would do the same validation for the function deactivate_plugins https://core.trac.wordpress.org/browser/tags/5.6/src/wp-admin/includes/plugin.php#L633

Change History (2)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Plugins

#2 @hellofromTonya
4 years ago

  • Keywords dev-feedback removed
  • Version changed from 5.6 to 3.0

The $current code was introduced in Version 3.0 per #11767, [12903].

Note: See TracTickets for help on using tickets.