Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was wondering what steps you use to keep downloaded plugins from being malicious?
For example, what does wordpress do to ensure that the plugins you download do not simply execute unlink('/')
I’m assuming it partly depends partly on downloader to install plugins to use his or her own discretion, but do plugin systems take measures to minimize the security risk of running 3rd party plugins?
Thanks!
Matt Mueller
Simple answer: you can’t do this programmatically. Simply can’t be done. Certainly WordPress has a validator of some sort to determine whether the plugin is outright nasty, but there’s no way to say for certain that it is safe.
I’m an intern at Mozilla this summer and I’m working on the validator that scans add-ons as they’re submitted to addons.mozilla.org. I can only imagine that WordPress has a very similar tool on their end. The idea is that the app outright rejects blatantly malicious code (
eval("evil nasty code");), while the rest of it is analyzed with some simple heuristics. The algorithms in place mark down some potential red flags based on what it sees in the add-on package and submits those notes to the editors, who then review the code. It effectively ends up being a human-powered process, but the software helps to take care of a lot of the heavy lifting.Some techniques that the Mozilla validator uses:
You can check out the code here:
http://github.com/mattbasta/amo-validator
Hope this helps!