Code Monkey home page Code Monkey logo

Comments (8)

jkudish avatar jkudish commented on September 28, 2024

Hey there,

Thanks for reporting the issue. Interestingly enough, the client for whom I built this class originally had this issue as well on his server.
From my understanding of the issue, it is server/environment specific. I have implemented the following fix for my client. I do believe that this fix could (with some hackery) pose a security threat, but it's a little bit over my head to be 100% honest. Here's the fix: https://gist.github.com/1260379, you can implement it as a standalone plugin or as part of your theme/plugin.

Suggestions welcome for this.
Cheers

from wordpress-github-plugin-updater.

kilbot avatar kilbot commented on September 28, 2024

That works great, thanks!

It would make the WordPress update curl less secure by setting it to trust all certificates ... but as far as I can tell there is no way to give WordPress a list of trusted certificates, so I don't see another option.

from wordpress-github-plugin-updater.

jkudish avatar jkudish commented on September 28, 2024

Yeah exactly, that's why I'd rather not include it in the class by default.

On 2011-10-03, at 5:05 PM, Paul Kilmurray wrote:

That works great, thanks!

It would make the WordPress update curl less secure by setting it to trust all certificates ... but as far as I can tell there is no way to give WordPress a list of trusted certificates, so I don't see another option.

Reply to this email directly or view it on GitHub:
#2 (comment)

from wordpress-github-plugin-updater.

thehelvetian avatar thehelvetian commented on September 28, 2024

I think this can be fixed by adding "'sslverify' => false" to the wp_remote_get args, like:

wp_remote_get($this->config['api_url'], array( 'sslverify' => false );

from wordpress-github-plugin-updater.

jkudish avatar jkudish commented on September 28, 2024

Hey @pmichael thanks for the new and better solution. I can confirm that your solution works, which is great. I will opt to not include this in the core class for now as it could still be seen as a security issue and the initial problem only affects certain installations of WordPress. That being said, I am open to being convinced as to why this should be included in the class.

Also, if anyone does run into this problem, they should definitely use @pmichael's solution.

from wordpress-github-plugin-updater.

thehelvetian avatar thehelvetian commented on September 28, 2024

You're welcome. You could add the option to the config array, setting 'sslverify' => true by default.

from wordpress-github-plugin-updater.

pdclark avatar pdclark commented on September 28, 2024

I ended up playing around with this after realizing that the sslverify option still caused updates to fail because ZIP downloads occur outside of the plugin's HTTP calls.

After monitoring default WordPress updates, I found they normally use HTTP:

These connections aren't verifying with a Certificate Authority, and they are not encrypted. Running Github updates over HTTPS without sslverify causes them to also not check with a Certificate Authority, but they're still encrypted. So, overall, HTTPS without sslverify is still more secure than normal WordPress update requests.

I agree that it's unwise to disable sslverify across the board, because there may be other connections that need it. Using the code below, sslverify can be disabled for Git plugin updates only. I think using this as the default setting will provide safe and stable updates for everyone:

In WPGitHubUpdater::__construct()
// Disable HTTP SSL Certificate Check for Git URLs only
add_filter( 'http_request_args', array($this, 'disable_git_ssl_verify'), 10, 2 );
In WPGitHubUpdater
/**
 * Disable SSL only for git repo URLs, but no other HTTP requests
 *  Allows SSL to be disabled for zips that are downloadeds outside plugin scope
 *
 * @return array $args http_request_args
 */
public function disable_git_ssl_verify($args, $url) {
    if ( in_array($url, $this->config) ) {
        $args['sslverify'] = false; 
    }else {
        return $args;
    }
}

from wordpress-github-plugin-updater.

sc0ttkclark avatar sc0ttkclark commented on September 28, 2024

@pdclark I sort of did something like this, but it was only for the ZIP URLs, since the current codebase only misses it at that point.

#20

from wordpress-github-plugin-updater.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.