[wp-trac] Re: [WordPress Trac] #8927: allow turning off 'calling
home' even _before_ install
WordPress Trac
wp-trac at lists.automattic.com
Tue Feb 24 04:19:22 GMT 2009
#8927: allow turning off 'calling home' even _before_ install
--------------------------------------------------+-------------------------
Reporter: jidanni | Owner: jacobsantos
Type: enhancement | Status: closed
Priority: lowest | Milestone: 2.8
Component: HTTP | Version: 2.7
Severity: trivial | Resolution: fixed
Keywords: dev-feedback has-patch needs-testing |
--------------------------------------------------+-------------------------
Comment(by jacobsantos):
Replying to [comment:14 jidanni]:
> Looks good. OK, I see you all have taken the "lock the liquor store"
(seal
> off HTTP access) approach. However that still leaves plenty of
> teenagers (processes that wish to use HTTP) roving around outside
> hoping for access... but I suppose that's how society is.
What other approach is there? Hide all of the liquor or remove the liquor
from the store every night?
> But wait, my "gold standard test" is: starting from a vanilla install,
> all the way even including browsing the dashboard (currently (2.7.1)
> booby trapped to download RSS even before you can reach for "screen
> options"), can I avoid one single download?
I don't understand, WTF are you talking about? If you want to disable HTTP
API, you do so in the wp-config.php, you can do this before you even
install !WordPress or before you enter the dashboard.
> {{{
> * You block external URL requests by defining WP_HTTP_BLOCK_EXTERNAL
> * in your wp-config.php file and this will only allow localhost and
> * your blog to make requests.
> }}}
> Sorry I'm still using 2.7.1, but looking at the new code,
> aren't "localhost and my blog" the ones making those RSS etc.
> requests on the Dashboard?
No, sorry, that should read, "Will only make requests '''to''' localhost
and your blog host."
> By the way,
> {{{
> * The constant WP_ACCESSABLE_HOSTS will allow additional hosts to go
through for requests.
> }}}
> that would be good for 'Block many, but let through a few', but I'm
afraid you need one further variable for those who wish to 'Block a few,
but let through many'.
Yeah, you know, a plugin can hook into it and add theirs. I suppose the
whitelist is more security minded, but a lot more work when you have a
great deal. However, it was not forseen that there would be many hosts
that you will want to allow. Preventing only a few won't exactly protect
you. If you want to allow more, then you can do so. I suppose, if you have
plugins, you will need to add exceptions for them, for the ones you want
to let through.
Actually, it would be extremely easy to add the ability for allow, deny
constants. I don't forsee myself attempting that at this moment nor in the
near future.
Actually, ACCESSIBLE hosts is misspelled and needs to be corrected (don't
want it to end up like HTTP 'referer' (sic)), so I'll fix that and add
allow and deny. Not this week, but soon.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/8927#comment:16>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list