[wp-hackers] Automatic Upgrades with InstantUpgrade plugin

Alex Günsche ag.ml2007 at zirona.com
Wed Apr 4 18:17:49 GMT 2007

On Wed, 2007-04-04 at 13:29 -0400, Doug Stewart wrote:
> You'll be FTPing _from_ the webhost _to_ the webhost?  Hmmm.

Right, in order to act as the FTP user, as he's the one to own the

> I agree that messing with the perms on a WP install is a Bad Idea(tm).
>  Your methodology assumes that everyone has FTP access, though, which
> isn't a universal truth.  Some may be CPanel-limited, others
> SFTP-only.

Ok, those are users who would not be able to use this. But I'll limit my
considerations to FTP users. After all, it's just an option, and not
exclusive to othere upgrading methods. (However, the now used method,
where the webserver directly installs the files, could be kept in the
plugin as an alternative option for those without FTP access.)

> The fundamental problem with in-line updates is that, in order for
> them to work, the webserver must have perms to alter the files in
> question which is a terribly vexing security issue in any situation.

Er -- that's the very reason why I'm talking about the FTP stuff
here. ;)

> One tack that hasn't been pursued is a PHP frontend to a shell
> scripted backend.  Have you thought of that, perhaps?  You'd obviously
> need different scripts for Windows vs. *NIX hosts, but it wouldn't
> really be any more insecure than using FTP as a method for doing this.

No, I don't want to do a bash wrapper. There are no benefits to what I
have now, and the whole thing would still run under the UID of the
webserver. Besides, many hosts have system() etc. disabled.

> I guess what I'm trying to say is that web-based updates aren't a
> great idea for the core app.  Migrating to a new version of WP is a
> weighty decision and, as such, ought to have some serious thought put
> into it by the ones doing the updating.

Right. But after all, the plugin's job is to perform the same steps as
the upgrade guide proposes. Nothing more, nothing less.

>   Simply clicking a few buttons
> is a great way to get into a heap o' trouble, particularly if you're a
> leading podcaster with an allergy to README.txts.  *grin*  (And
> Charles, if you're reading this, we love you, buddy!)

Hehe, I agree... He said some nice words about another of my plugins in
an older podcast, so I guess he's not particularily after me. :P


Alex Günsche, Zirona OpenSource-Consulting
http://www.zirona.com/ | Hilfe für das HQ AC: http://www.prohq.de
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc

More information about the wp-hackers mailing list