WordPress.org
Get WordPress

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #63283


Ignore:
Timestamp:
04/15/2025 12:52:26 PM (7 months ago)
Author:
dd32
Comment:

Arguably array_map( 'esc_url', $offer['packages'] ) can be removed from core, as it inherently trusts api.wordpress.org... it should probably be using esc_url_raw() though.

We can look at making api.wordpress.org change it's responses for those keys to '' though to match core behaviour.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #63283

    • Property Component changed from General to Upgrade/Install

  • Ticket #63283 – Description

    initial v1  
    11There is a bug that is returned from api.wordpress.org/core/version-check/ called from wp-includes/update.php function wp_version_check.
    22Call there return JSON with:
    3 "packages":{"full":"https:\/\/downloads.wordpress.org\/release\/bg_BG\/wordpress-6.7.2.zip","no_content":false,"new_bundled":false,"partial":false,"rollback":false}
     3`"packages":{"full":"https:\/\/downloads.wordpress.org\/release\/bg_BG\/wordpress-6.7.2.zip","no_content":false,"new_bundled":false,"partial":false,"rollback":false}`
    44But in code is:
    5 array_map( 'esc_url', $offer['packages'] ),
     5`array_map( 'esc_url', $offer['packages'] ),`
    66Function esc_url use in others (like ltrim), that not allow to receive boolean value - must be string.
    77Returned value must be changed like:
    8 "packages":{"full":"https:\/\/downloads.wordpress.org\/release\/bg_BG\/wordpress-6.7.2.zip","no_content":"","new_bundled":"","partial":"","rollback":""}
     8`"packages":{"full":"https:\/\/downloads.wordpress.org\/release\/bg_BG\/wordpress-6.7.2.zip","no_content":"","new_bundled":"","partial":"","rollback":""}`
    99Bug is in: api.wordpress.org