[wp-trac] [WordPress Trac] #21622: Validate or sandbox theme file edits before saving them (as is done for plugins)

WordPress Trac noreply at wordpress.org
Fri Sep 22 01:51:59 UTC 2017 

#21622: Validate or sandbox theme file edits before saving them (as is done for
plugins)
-------------------------+-----------------------------
 Reporter:  eschwartz93  |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  high         |   Milestone:  4.9
Component:  Themes       |     Version:  2.7.1
 Severity:  normal       |  Resolution:
 Keywords:  needs-patch  |     Focuses:  administration
-------------------------+-----------------------------
Changes (by westonruter):

 * priority:  normal => high
 * milestone:  Awaiting Review => 4.9


Comment:

 @Clorith That might just work! What it would depend on is being able to
 run two separate PHP processes concurrently, which in theory WordPress can
 do since it's how it normally spawns WP Cron.

 Details for how this could be implemented:

 1. User submits theme editor with change to a PHP file.
 2. WordPress grabs a copy of the file's contents and stores them in memory
 as a backup.
 3. WordPress writes the submitted changes to that file and (invalidates
 the opcache).
 4. WordPress issues an HTTP request //back to itself as the authenticated
 user// to see if the theme/plugin editor screen continues to load
 successfully. That's key, to be able to make an authenticated request back
 to the admin because that is where the user will have to access if they
 find they broke something somewhere else on the site. It wouldn't be
 possible to construct a self-request that would touch the specific PHP
 code that you just modified.
 5. If WordPress receives back an error from that self-request, then it
 writes the backed up changes back to the file (and invalidates the file's
 opcache) and then redirects back to file editor with an parameter
 indicating there was an error. Any error message scraped from the HTTP
 response could be stuffed into a transient for displaying in the error
 notice. 🚫
 6. Otherwise, if the HTTP response came back successfully, then WordPress
 can redirect to the theme editor with a success parameter to then show the
 updated message. ✅

 The key part in all of this is being able to issue the self-request as the
 user. If we include all of the cookies in the request it may just work.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21622#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list