[wp-hackers] Plugin update & security / privacy - Data sent

Moritz 'Morty' Strübe morty at gmx.net
Sun Sep 23 14:29:29 GMT 2007

Omry, although I do agree with you, I'm not sure whether you understand
the situation. We are not discussing what we - in this case they, as I
am not a core-dev and I think neither are you - should do or what is the
best way to solve this problem. The code is there and tested. The
release is Monday, tomorrow. There will be _no_ changes is the way it
works. The only thing that might happen, is that the URL get's wrapped
in a md5 or better not transmitted at all.

Omry Yadan schrieb:
> Sounds good to me.
> maybe we should only send plugin file, version and name.
> also, in the spirit of my original proposal:
> 1. this should not be bundled with the new version check.
> 2. users should explicitly agree to send info before WP sends anything.
> Moritz 'Morty' Strübe wrote:
>> To get some facts out added some debugging output.
>> Notice that there are 11k of data transmitted. Also of course your
>> Wordpress version and your url (which I already encapsulated in a md5).
>> IMHO a list of plugin names and a answer with the current version
>> numbers is enough data to be transmitted.
>> The request:
>> POST /plugins/update-check/1.0/ HTTP/1.0
>> Host: api.wordpress.org
>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>> Content-Length: 11000
>> User-Agent: WordPress/2.3-RC1; 4b028de5098db7fb05c6d6dd264de215
>> And the data:
>> data:object(stdClass)(2) {
>>   ["plugins"]=>
>>   array(15) {
>>     ["akismet/akismet.php"]=>
>>     array(5) {

More information about the wp-hackers mailing list