More validation of plugin files #1898

Open
ozh opened this Issue May 4, 2015 · 6 comments

Comments

Projects
5 participants
@ozh
Member

ozh commented May 4, 2015

You can activate a file that's not a plugin at all, see #1897

  • this file appears with (no info) as name, author, version and description: I think at least a name should be mandatory
  • (no info) as plugin name and plugin author are absurdly linked to http://sho.rt/admin/(no%20info)
  • is there any way to check that the file is at least some PHP ?
@dgw

This comment has been minimized.

Show comment
Hide comment
@dgw

dgw May 4, 2015

Collaborator

What about checking that the file contains <?php? Not foolproof, certainly, but better than no check at all. HTML should fail that test because < needs to be escaped.

Collaborator

dgw commented May 4, 2015

What about checking that the file contains <?php? Not foolproof, certainly, but better than no check at all. HTML should fail that test because < needs to be escaped.

@vaughany

This comment has been minimized.

Show comment
Hide comment
@vaughany

vaughany May 5, 2015

Could you require that plugin authors provide author name, plugin name, plugin version and plugin release date inside a function which you can call from the core code? A failure to find the function, or if null/empty return would prevent the plugin being made live.

vaughany commented May 5, 2015

Could you require that plugin authors provide author name, plugin name, plugin version and plugin release date inside a function which you can call from the core code? A failure to find the function, or if null/empty return would prevent the plugin being made live.

@ozh

This comment has been minimized.

Show comment
Hide comment
@ozh

ozh May 5, 2015

Member

Requiring all the info won't help making sure the plugin is valid, requiring a release date would also break 100% of existing plugins which we won't do

Ideally we need a sandboxed activation process, like it's done in WordPress, but I haven't butchered and dissected their way of doing it yet :)

Member

ozh commented May 5, 2015

Requiring all the info won't help making sure the plugin is valid, requiring a release date would also break 100% of existing plugins which we won't do

Ideally we need a sandboxed activation process, like it's done in WordPress, but I haven't butchered and dissected their way of doing it yet :)

@fredl99

This comment has been minimized.

Show comment
Hide comment
@fredl99

fredl99 Mar 23, 2016

Contributor

(no info) as plugin name and plugin author are absurdly linked to http://sho.rt/admin/(no%20info)

If this behaviour is reliable and reproducable then why not ship a prepared (static) page with that name?

It could contain some information that there's something wrong with that file, maybe a hint to upgrade or some other notes. If it's not static the page could also tell the plugin's filename and/or a link to deactivate it.

Not a solution but at least some use for that link. Just an idea...

Contributor

fredl99 commented Mar 23, 2016

(no info) as plugin name and plugin author are absurdly linked to http://sho.rt/admin/(no%20info)

If this behaviour is reliable and reproducable then why not ship a prepared (static) page with that name?

It could contain some information that there's something wrong with that file, maybe a hint to upgrade or some other notes. If it's not static the page could also tell the plugin's filename and/or a link to deactivate it.

Not a solution but at least some use for that link. Just an idea...

peterberbec added a commit to peterberbec/YOURLS that referenced this issue Jun 7, 2016

#1898
YOURLS#1898

let's verify the file at least starts with <?php
@peterberbec

This comment has been minimized.

Show comment
Hide comment
@peterberbec

peterberbec Jun 7, 2016

Quick and dirty <php? test

Quick and dirty <php? test

@ozh

This comment has been minimized.

Show comment
Hide comment
@ozh

ozh Apr 6, 2017

Member

We should maybe have a look at https://github.com/Corveda/PHPSandbox (PHP 5.4+ though). Then, if not trivial to use and 100% foolproof, this issue will be closed

Member

ozh commented Apr 6, 2017

We should maybe have a look at https://github.com/Corveda/PHPSandbox (PHP 5.4+ though). Then, if not trivial to use and 100% foolproof, this issue will be closed

@ozh ozh added this to the Future milestone Apr 17, 2017

@LeoColomb LeoColomb added this to To do in YOURLS via automation Nov 29, 2017

@LeoColomb LeoColomb moved this from To do to Ideas in YOURLS Nov 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment