Disabling SSL verification on plugin updates about plugin-update-checker HOT 7 CLOSED

Yes, I've noticed SSL-related problems before, though they don't affect my plugins as much since I use plain HTTP for plugin updates.

With in the "public function __construct" I added two filters for disabling ssl verification, right after "$this->installHooks();":

add_filter( 'https_ssl_verify', '__return_false' ); 
add_filter( 'https_local_ssl_verify', '__return_false' );

I wouldn't recommend doing it this way. Those two filters will disable SSL verification for all HTTP requests, not just those sent by the update checker. Users who have up-to-date SSL libraries and use SSL-enabled plugins probably wouldn't appreciate that.

Besides, it's redundant - simply setting the sslverify request option to false is enough.

In addition, within "public function requestInfo($queryArgs = array()){" I also added the wp_remote_get-option
'sslverify' => false,
so that with plugin checks also no SSL verification is done.

You can actually do that without modifying the update checker. Use the puc_request_info_options-$slug filter. It's undocumented (sorry!), but it was designed for situations exactly like this.

Here's an example:

function disable_ssl_for_updates($options) {
    $options['sslverify'] = false;
    return $options;
}

$pluginSlug = 'example'; //Replace with your own plugin slug.
add_filter('puc_request_info_options-' . $pluginSlug, 'disable_ssl_for_updates')

from plugin-update-checker.

Hi Yahnis,

thanks for the feedback - too bad that disabling the sslverification by adding filters to "public function __construct" disables all SSL verification on the current sites
and not just for plugin update checker, havent thought about this :-/

anyway just setting sslverify to false by editing the code or adding a filter as proposed by you is not enough if the plugin package also is downoaded via SSL (in my case https://www.mapsmarker.com/updates/?action=download&slug=leaflet-maps-marker-pro) - setting the filter as you proposed only removes the SSL verification when accessing get_metadata on my update server and not when downloading the actual package.
Tested this yesterday on a customer site - accessing get_metadata on my server with sslverify=fine worked fine, while actually downloading the package by updating the plugin failed because of SSL verification.

I guess there is no way to also only punctually disable ssl verification for plugin downloads delivered via my plugin update server on https (please correct me if I am wrong).
Anyway I will follow a pragmatical approach: get_metadata is still done via SSL and disabled ssl verification through sslverify=false and within my plugin update server I will change the download_url to http again.
best,

Robert

from plugin-update-checker.

anyway just setting sslverify to false by editing the code or adding a filter as proposed by you is not enough if the plugin package also is downoaded via SSL

Oops, you're right. I hadn't considered that.

How about the http_request_args filter? I haven't used it myself, but it looks like it would let you change request options based on the request URL. Maybe you could use it to selectively disable the sslverify flag for requests sent to your server.

from plugin-update-checker.

mhhh - not sure. Could work, although I wouldnt dare any experiments here - it is too critical for me to get updates out to all users, especially as I am doing vulnerability checks regularly.
anyway the advantage of fetching an update package via https but without ssl verification has not that much additional security value, has it? it is more a bit like the security through obscurity principle I guess.

from plugin-update-checker.

anyway the advantage of fetching an update package via https but without ssl verification has not that much additional security value, has it? it is more a bit like the security through obscurity principle I guess.

I'm no security expert, but it sounds like it would leave the users vulnerable to man-in-the-middle attacks.

from plugin-update-checker.

me neither, but as far as I understand SSL, man-in-the-middle attacks can only be prevented if the ssl certificate is checked...anyway I do not guess that plugin updates are really an attack vector...

from plugin-update-checker.

For those interested, the code I used to only disable ssl verification for requests sent to my update server :

add_filter('http_request_args', 'my_http_request_args',10,2);
function my_http_request_args($request_args, $url) {
    if (strpos($url, 'http://example.com/') === 0) {
        $request_args['sslverify'] = false;
    }
    return $request_args;
}

from plugin-update-checker.