[wp-hackers] Plugin update & security / privacy - Data sent
Moritz 'Morty' Strübe
morty at gmx.net
Sun Sep 23 14:29:29 GMT 2007
Omry, although I do agree with you, I'm not sure whether you understand
the situation. We are not discussing what we - in this case they, as I
am not a core-dev and I think neither are you - should do or what is the
best way to solve this problem. The code is there and tested. The
release is Monday, tomorrow. There will be _no_ changes is the way it
works. The only thing that might happen, is that the URL get's wrapped
in a md5 or better not transmitted at all.
Cheers
Morty
Omry Yadan schrieb:
> Sounds good to me.
>
> maybe we should only send plugin file, version and name.
>
> also, in the spirit of my original proposal:
>
> 1. this should not be bundled with the new version check.
>
> 2. users should explicitly agree to send info before WP sends anything.
>
>
> Moritz 'Morty' Strübe wrote:
>
>> To get some facts out added some debugging output.
>> Notice that there are 11k of data transmitted. Also of course your
>> Wordpress version and your url (which I already encapsulated in a md5).
>> IMHO a list of plugin names and a answer with the current version
>> numbers is enough data to be transmitted.
>>
>> The request:
>>
>> POST /plugins/update-check/1.0/ HTTP/1.0
>> Host: api.wordpress.org
>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>> Content-Length: 11000
>> User-Agent: WordPress/2.3-RC1; 4b028de5098db7fb05c6d6dd264de215
>>
>> And the data:
>>
>> data:object(stdClass)(2) {
>> ["plugins"]=>
>> array(15) {
>> ["akismet/akismet.php"]=>
>> array(5) {
[...]
More information about the wp-hackers
mailing list