Get WordPress

Make WordPress Core

Opened 3 months ago

Last modified 5 weeks ago

#61055 new defect (bug)

wp_update_plugins irregular transient handling.

Reported by: cybr's profile Cybr Owned by:
Milestone: 6.7 Priority: normal
Severity: normal Version: 6.6
Component: Plugins Keywords: has-patch needs-testing
Focuses: Cc:

Description

When creating $updates in wp_update_plugins(), its properties are populated immediately.

However, one property is missing, which is used later: checked.

When hooking into pre_set_site_transient_update_plugins, the checked property will be available sporadically because of this, depending on whether the $time_not_changed && ! $extra_stats branch is executed or not.

Another noteworthy issue with this function is that its implementation of set_site_transient( 'update_plugins', ... ); uses both the values $current and $updates. They store different objects at different times (1, 2).

Prepopulating both values with the same object properties would help prevent object-typing issues.

Change History (10)

#2 @SergeyBiryukov
3 months ago

  • Component changed from General to Plugins
  • Milestone changed from Awaiting Review to 6.6

This ticket was mentioned in PR #6736 on WordPress/wordpress-develop by @snehapatil02.
8 weeks ago #3

  • Keywords has-patch added

### Ticket: https://core.trac.wordpress.org/ticket/61055

## Description
Ensure consistent handling of 'checked' property in wp_update_plugins() function.

  • This PR addresses the irregular handling of the transient in the wp_update_plugins() function, ensuring that the 'checked' property is always available when hooking into pre_set_site_transient_update_plugins.
  • It also ensures consistency between the $current and $updates objects, preventing potential issues caused by different object properties at different times.

## Changes Made

  • Initialize the 'checked' property in the $current object if it is not already set.
  • Ensure that the 'checked' property is always assigned to the $updates object.
  • Prepopulate both $current and $updates with the same 'checked' property to prevent object-typing issues.
  • Update the set_site_transient('update_plugins', $updates) to store the $updates object consistently.

siliconforks commented on PR #6736:
8 weeks ago #4

Note that there is already an existing patch (which is intended to address this problem) in this ticket:

https://core.trac.wordpress.org/ticket/44118

#5 follow-up: @Cybr
7 weeks ago

This might be a duplicate of #44118; though addressing a different issue, its resolution appears to be the same.

#6 in reply to: ↑ 5 @siliconforks
7 weeks ago

Replying to Cybr:

This might be a duplicate of #44118; though addressing a different issue, its resolution appears to be the same.

#44118 basically has the same root cause - the checked property is missing from the transient, which causes additional (unnecessary) update checks to be performed.

This ticket was mentioned in Slack in #core by nhrrob. View the logs.
6 weeks ago

#8 @tremidkhar
6 weeks ago

  • Keywords needs-testing added

This ticket was mentioned in Slack in #core by nhrrob. View the logs.
5 weeks ago

#10 @nhrrob
5 weeks ago

  • Milestone changed from 6.6 to 6.7

We are very close to RC1.
Looks like it still needs testing.
Punting to 6.7

Note: See TracTickets for help on using tickets.