wp-update-server icon indicating copy to clipboard operation
wp-update-server copied to clipboard
verified publisher icon YahnisElsts

Is it possible to add a list of domains to update?

Open slimanehma opened this issue 2 years ago • 5 comments

Is it possible to add a list of domains that are allowed to take updates to the update server? So that only sites on the allowed list can be updated؟

slimanehma avatar Mar 06 '23 06:03 slimanehma

There's no built-in feature like that, but you could probably implement it by either creating your own subclass of Wpup_UpdateServer or by directly modifying the code.

Just keep in mind that when a site sends an update request, it can technically put anything it wants in the request. For example, site A could easily pretend to be site B unless you come up with some clever verification scheme.

YahnisElsts avatar Mar 06 '23 16:03 YahnisElsts

Please explain how can I do this and modify the code Thank you

slimanehma avatar Mar 07 '23 14:03 slimanehma

Here are some general pointers:

  • You can extend the Wpup_UpdateServer class to customize the behaviour of the update server.
  • The correct place to check if a request meets some access requirements is the checkAuthorization() method.
  • The update server attempts to automatically extract the site URL from the User-Agent header. You can get it from $request->wpSiteUrl. However, as I mentioned earlier, someone could change that URL to basically anything they want, so this is not a foolproof way to get the URL.

So something like this:

class ExampleUpdateServer extends Wpup_UpdateServer {
	protected function checkAuthorization($request) {
		parent::checkAuthorization($request);
		
		$detectedUrl = $request->wpSiteUrl;
		if (!$this->isAllowedUrl($detectedUrl)) {
			$this->exitWithError('Site URL not allowed', 403);
		}
	}
	
	private function isAllowedUrl($siteUrl) {
		/* ... */
		return true;
	}
}

And then modify index.php to use your custom class instead of Wpup_UpdateServer.

YahnisElsts avatar Mar 07 '23 17:03 YahnisElsts

I tried to do these modifications but it didn't work for me Please clarify in which file I should do this modification and where I should put the domain names that are allowed to download updates

slimanehma avatar Apr 04 '23 18:04 slimanehma

This is not intended to be a complete solution, just a partial example that demonstrates how to do it. You'll need to be sufficiently familiar with PHP to fill in the gaps. But to expand on my earlier comments:

  • Put the custom server class anywhere you want.
  • Put the logic that checks if the site URL matches one of the allowed domain names in the isAllowedUrl() method.
  • Modify index.php to load the class.
  • Modify index.php to use your custom class instead of Wpup_UpdateServer.

YahnisElsts avatar Apr 04 '23 18:04 YahnisElsts