[wp-trac] [WordPress Trac] #57719: UpdateURI fails to prevent it's intended purpose
WordPress Trac
noreply at wordpress.org
Fri Oct 11 12:56:21 UTC 2024
#57719: UpdateURI fails to prevent it's intended purpose
--------------------------+-------------------------
Reporter: edouble74 | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Plugins | Version: 6.1.1
Severity: normal | Resolution: worksforme
Keywords: | Focuses:
--------------------------+-------------------------
Comment (by webdados):
I'm cross-commenting here the same I commented in #59631 as I believe is
relevant for both tickets.
IMHO, setting the "Update URI" (to false for example), should deactivate
any update or information request to the wordpress.org API.
On the wp_update_plugins routine, all the installed plugins are queried on
wordpress.org, even if they're not part of the repo, and have specifically
set Update URI as false (as mentioned here
https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-
header-in-wordpress-5-8/).
I suggest we make the "false" value on "Update URI" a clear instruction
from the developer that the plugin does not belong to the repo and it
should not be included in any API call whatsoever.
As we stand now, we might be creating serious confidentiality issues and
even breaking the GDPR laws. If someone develops a private plugin for a
company, there's not reason why .org should receive it's headers which may
include information about the developer and the company that should not be
shared by 3rd parties (in which case WordPress.org is the 3rd party).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57719#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list