Opened 5 weeks ago
Last modified 5 weeks ago
#63283 new defect (bug)
Bug in version check returned values from api.wordpress.org
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 6.7.2 |
| Component: | Upgrade/Install | Keywords: | |
| Focuses: | Cc: |
Description (last modified by )
There is a bug that is returned from api.wordpress.org/core/version-check/ called from wp-includes/update.php function wp_version_check.
Call there return JSON with:
"packages":{"full":"https:\/\/downloads.wordpress.org\/release\/bg_BG\/wordpress-6.7.2.zip","no_content":false,"new_bundled":false,"partial":false,"rollback":false}
But in code is:
array_map( 'esc_url', $offer['packages'] ),
Function esc_url use in others (like ltrim), that not allow to receive boolean value - must be string.
Returned value must be changed like:
"packages":{"full":"https:\/\/downloads.wordpress.org\/release\/bg_BG\/wordpress-6.7.2.zip","no_content":"","new_bundled":"","partial":"","rollback":""}
Bug is in: api.wordpress.org
Arguably
array_map( 'esc_url', $offer['packages'] )can be removed from core, as it inherently trustsapi.wordpress.org... it should probably be usingesc_url_raw()though.We can look at making api.wordpress.org change it's responses for those keys to
''though to match core behaviour.