[wp-hackers] WordPress Plugin GUID
Stephen Rider
wp-hackers at striderweb.com
Fri Jun 5 15:11:54 GMT 2009
On Jun 5, 2009, at 9:42 AM, Ozh wrote:
>> Currently, if a plugin author chooses to self-host his plugin and not
>> list it in the directory, a malicious individual could e-mail Matt
>> and
>> ask for an entry in the plugin directory with the same slug. Then,
>> the
>> malicious individual could release an 'update' to the plugin that
>> could
>> 0wn the blog.
>
> oh my...
> fantastic idea >:]
Hmm... I wonder if a non-Extend hosted plugin could protect itself
from this? Put in some code that prevents *itself* from being auto-
updated by WP?
Something like (untested):
function filter_get_update_plugins( $data ) {
unset( $data->response['myplugin/myplugin.php'] );
return $data;
}
add_filter( 'option_update_plugins', 'filter_get_update_plugins' ) );
add_filter( 'transient_update_plugins',
'filter_get_update_plugins' ) ); // for cached data
More information about the wp-hackers
mailing list