Comments (7)
Yes, I've noticed SSL-related problems before, though they don't affect my plugins as much since I use plain HTTP for plugin updates.
With in the "public function __construct" I added two filters for disabling ssl verification, right after "$this->installHooks();":
add_filter( 'https_ssl_verify', '__return_false' ); add_filter( 'https_local_ssl_verify', '__return_false' );
I wouldn't recommend doing it this way. Those two filters will disable SSL verification for all HTTP requests, not just those sent by the update checker. Users who have up-to-date SSL libraries and use SSL-enabled plugins probably wouldn't appreciate that.
Besides, it's redundant - simply setting the sslverify
request option to false
is enough.
In addition, within "public function requestInfo($queryArgs = array()){" I also added the wp_remote_get-option
'sslverify' => false,
so that with plugin checks also no SSL verification is done.
You can actually do that without modifying the update checker. Use the puc_request_info_options-$slug
filter. It's undocumented (sorry!), but it was designed for situations exactly like this.
Here's an example:
function disable_ssl_for_updates($options) {
$options['sslverify'] = false;
return $options;
}
$pluginSlug = 'example'; //Replace with your own plugin slug.
add_filter('puc_request_info_options-' . $pluginSlug, 'disable_ssl_for_updates')
from plugin-update-checker.
Hi Yahnis,
thanks for the feedback - too bad that disabling the sslverification by adding filters to "public function __construct" disables all SSL verification on the current sites
and not just for plugin update checker, havent thought about this :-/
anyway just setting sslverify to false by editing the code or adding a filter as proposed by you is not enough if the plugin package also is downoaded via SSL (in my case https://www.mapsmarker.com/updates/?action=download&slug=leaflet-maps-marker-pro) - setting the filter as you proposed only removes the SSL verification when accessing get_metadata on my update server and not when downloading the actual package.
Tested this yesterday on a customer site - accessing get_metadata on my server with sslverify=fine worked fine, while actually downloading the package by updating the plugin failed because of SSL verification.
I guess there is no way to also only punctually disable ssl verification for plugin downloads delivered via my plugin update server on https (please correct me if I am wrong).
Anyway I will follow a pragmatical approach: get_metadata is still done via SSL and disabled ssl verification through sslverify=false and within my plugin update server I will change the download_url to http again.
best,
Robert
from plugin-update-checker.
anyway just setting sslverify to false by editing the code or adding a filter as proposed by you is not enough if the plugin package also is downoaded via SSL
Oops, you're right. I hadn't considered that.
How about the http_request_args
filter? I haven't used it myself, but it looks like it would let you change request options based on the request URL. Maybe you could use it to selectively disable the sslverify
flag for requests sent to your server.
from plugin-update-checker.
mhhh - not sure. Could work, although I wouldnt dare any experiments here - it is too critical for me to get updates out to all users, especially as I am doing vulnerability checks regularly.
anyway the advantage of fetching an update package via https but without ssl verification has not that much additional security value, has it? it is more a bit like the security through obscurity principle I guess.
from plugin-update-checker.
anyway the advantage of fetching an update package via https but without ssl verification has not that much additional security value, has it? it is more a bit like the security through obscurity principle I guess.
I'm no security expert, but it sounds like it would leave the users vulnerable to man-in-the-middle attacks.
from plugin-update-checker.
me neither, but as far as I understand SSL, man-in-the-middle attacks can only be prevented if the ssl certificate is checked...anyway I do not guess that plugin updates are really an attack vector...
from plugin-update-checker.
For those interested, the code I used to only disable ssl verification for requests sent to my update server :
add_filter('http_request_args', 'my_http_request_args',10,2);
function my_http_request_args($request_args, $url) {
if (strpos($url, 'http://example.com/') === 0) {
$request_args['sslverify'] = false;
}
return $request_args;
}
from plugin-update-checker.
Related Issues (20)
- Release assets fallback to first/default .zip even if releaseassets regex is applied. HOT 5
- Plugin not found HOT 5
- Disable Update Mechanism / Hooks for License Management HOT 8
- 404 Issue when Updating (Fine grained tokens?) HOT 2
- enableReleaseAssets() no longer the supported method HOT 5
- Error PUC 5.1 does not support GitHub in ... HOT 13
- Question about translations HOT 2
- PHP 8.2 Compatibility - Deprecation Notice HOT 3
- "Can't to read the plugin header" errors HOT 2
- Deprecated error HOT 2
- Deprecation notices PHP8 HOT 3
- Some assistance with a universal updater for a private repo HOT 6
- Unable to check version HOT 7
- Using PUC on an external server HOT 2
- Fatal error: Uncaught Error: Class 'YahnisElsts\PluginUpdateChecker\v5p1\DebugBar\Panel' not found HOT 11
- API for self update function HOT 11
- Fatal Error: Unable to determine if plugin or theme HOT 7
- Add query arg to requested .php file HOT 4
- Exclude repo file when updating my plugin HOT 1
- Not seeing "Install Update Now" button in plugin details popup HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from plugin-update-checker.