vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 14:20:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Upgrade/Install: Add experimental package signing to some updates.

Browse Source 
This adds code for soft verification of signatures for theme and plugin installs and updates, when provided by the update server. This experimental version does not reject unverified packages or failed signatures; it simply reports anonymous errors so we can evaluate its feasibility and detect incompatibilities.

This code relies on the new sodium_compat library for PHP versions prior to 7.2.

Props dd32, paragoninitiativeenterprises.
See #39309, #45806.


git-svn-id: https://develop.svn.wordpress.org/trunk@44954 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Alex Shiels
2019-03-21 05:48:46 +00:00
parent 53f45b4dfc
commit 2976cfb7ca
2 changed files with 189 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/wp-admin/includes/class-wp-upgrader.php
View File

@@ -275,9 +275,9 @@ class WP_Upgrader {
$this->skin->feedback( 'downloading_package', $package );
$download_file = download_url( $package );
$download_file = download_url( $package, 300, true );
if ( is_wp_error( $download_file ) ) {
if ( is_wp_error( $download_file ) && ! $download_file->get_error_data( 'softfail-filename' ) ) {
return new WP_Error( 'download_failed', $this->strings['download_failed'], $download_file->get_error_message() );
}
@@ -731,6 +731,25 @@ class WP_Upgrader {
* of the file if the package is a local file)
*/
$download = $this->download_package( $options['package'] );
// Allow for signature soft-fail.
// WARNING: This may be removed in the future.
if ( is_wp_error( $download ) && $download->get_error_data( 'softfail-filename' ) ) {
// Outout the failure error as a normal feedback, and not as an error:
$this->skin->feedback( $download->get_error_message() );
// Report this failure back to WordPress.org for debugging purposes.
wp_version_check(
array(
'signature_failure_code' => $download->get_error_code(),
'signature_failure_data' => $download->get_error_data(),
)
);
// Pretend this error didn't happen.
$download = $download->get_error_data( 'softfail-filename' );
}
if ( is_wp_error( $download ) ) {
$this->skin->error( $download );
$this->skin->after();