[wp-hackers] WordPress Plugin GUID
wp-hackers at striderweb.com
Fri Jun 5 12:30:18 GMT 2009
On Jun 5, 2009, at 7:06 AM, Jeremy Visser wrote:
> On Thu, 2009-06-04 at 15:11 -0700, Lloyd Budd wrote:
>> The Plugin GUID would get sent to the plugin directory when checking
>> for updates. If the GUID does not match any known plugin in the
>> directory, it would just skip that plugin during the update check. If
>> it matches, use that match. No longer do any heuristic matches
>> titles, urls, etc.
> This is a great idea from a security perspective.
> Currently, if a plugin author chooses to self-host his plugin and not
> list it in the directory, a malicious individual could e-mail Matt and
> ask for an entry in the plugin directory with the same slug. Then, the
> malicious individual could release an 'update' to the plugin that
> 0wn the blog.
> However, having a GUID in place means users won't automagically get
> updates to their plugins if a plugin author decides to have their
> hosted in the directory after a large quantity of users have already
> downloaded a version that doesn't have a GUID.
> I guess WordPress would have to still offer updates for plugins that
> don't have a local GUID, but the slug matches. Or does that defeat the
> purpose, or not make sense?
I agree that without the GUID it shouldn't offer the update (that is,
only auto-update plugins that came from WP-Extend).
And this is from a guy who doesn't host on WP-Extend. ;)
More information about the wp-hackers