Comments (8)
Hey there,
Thanks for reporting the issue. Interestingly enough, the client for whom I built this class originally had this issue as well on his server.
From my understanding of the issue, it is server/environment specific. I have implemented the following fix for my client. I do believe that this fix could (with some hackery) pose a security threat, but it's a little bit over my head to be 100% honest. Here's the fix: https://gist.github.com/1260379, you can implement it as a standalone plugin or as part of your theme/plugin.
Suggestions welcome for this.
Cheers
from wordpress-github-plugin-updater.
That works great, thanks!
It would make the WordPress update curl less secure by setting it to trust all certificates ... but as far as I can tell there is no way to give WordPress a list of trusted certificates, so I don't see another option.
from wordpress-github-plugin-updater.
Yeah exactly, that's why I'd rather not include it in the class by default.
On 2011-10-03, at 5:05 PM, Paul Kilmurray wrote:
That works great, thanks!
It would make the WordPress update curl less secure by setting it to trust all certificates ... but as far as I can tell there is no way to give WordPress a list of trusted certificates, so I don't see another option.
Reply to this email directly or view it on GitHub:
#2 (comment)
from wordpress-github-plugin-updater.
I think this can be fixed by adding "'sslverify' => false" to the wp_remote_get args, like:
wp_remote_get($this->config['api_url'], array( 'sslverify' => false );
from wordpress-github-plugin-updater.
Hey @pmichael thanks for the new and better solution. I can confirm that your solution works, which is great. I will opt to not include this in the core class for now as it could still be seen as a security issue and the initial problem only affects certain installations of WordPress. That being said, I am open to being convinced as to why this should be included in the class.
Also, if anyone does run into this problem, they should definitely use @pmichael's solution.
from wordpress-github-plugin-updater.
You're welcome. You could add the option to the config array, setting 'sslverify' => true
by default.
from wordpress-github-plugin-updater.
I ended up playing around with this after realizing that the sslverify
option still caused updates to fail because ZIP downloads occur outside of the plugin's HTTP calls.
After monitoring default WordPress updates, I found they normally use HTTP:
- http://api.wordpress.org/plugins/info/1.0/
- http://wordpress.org/extend/plugins/wordpress-seo/
- http://downloads.wordpress.org/plugin/wordpress-seo.1.2.4.zip
These connections aren't verifying with a Certificate Authority, and they are not encrypted. Running Github updates over HTTPS without sslverify
causes them to also not check with a Certificate Authority, but they're still encrypted. So, overall, HTTPS without sslverify
is still more secure than normal WordPress update requests.
I agree that it's unwise to disable sslverify
across the board, because there may be other connections that need it. Using the code below, sslverify
can be disabled for Git plugin updates only. I think using this as the default setting will provide safe and stable updates for everyone:
In WPGitHubUpdater::__construct()
// Disable HTTP SSL Certificate Check for Git URLs only
add_filter( 'http_request_args', array($this, 'disable_git_ssl_verify'), 10, 2 );
In WPGitHubUpdater
/**
* Disable SSL only for git repo URLs, but no other HTTP requests
* Allows SSL to be disabled for zips that are downloadeds outside plugin scope
*
* @return array $args http_request_args
*/
public function disable_git_ssl_verify($args, $url) {
if ( in_array($url, $this->config) ) {
$args['sslverify'] = false;
}else {
return $args;
}
}
from wordpress-github-plugin-updater.
@pdclark I sort of did something like this, but it was only for the ZIP URLs, since the current codebase only misses it at that point.
from wordpress-github-plugin-updater.
Related Issues (20)
- Slugs/proper folder name confusion
- Missing plugin name on WordPress Updates page HOT 1
- wp-admin/plugins.php?page=github-updater HOT 2
- Token & Download HOT 8
- Wordpress Multisite
- Gitlab support? HOT 2
- Private repo example HOT 4
- Github search themes and plugins Wordpress plugin
- View details link goes to wordpress HOT 1
- Updated version not getting immediately when update plugin
- Not working for private repo
- Not working for private repo HOT 2
- f(x) Updater - WP Theme and Plugin Updater HOT 2
- Add composer.json HOT 4
- Making URL query parameter requests deprecated as of May 5 HOT 1
- No way to get access_token
- How difficult would it be to make this work with a local Gitea or GitLab repo instead of GitHub?
- Don't update if the new version is a breaking change
- How could I force manually to check plugin updates?
- I'm getting a 400 bad request error when clicking the update button
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wordpress-github-plugin-updater.