Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is it possible to add a list of domains to update? #106

Open
slimanehma opened this issue Mar 6, 2023 · 5 comments
Open

Is it possible to add a list of domains to update? #106

slimanehma opened this issue Mar 6, 2023 · 5 comments

Comments

@slimanehma
Copy link

Is it possible to add a list of domains that are allowed to take updates to the update server?
So that only sites on the allowed list can be updated؟

@YahnisElsts
Copy link
Owner

There's no built-in feature like that, but you could probably implement it by either creating your own subclass of Wpup_UpdateServer or by directly modifying the code.

Just keep in mind that when a site sends an update request, it can technically put anything it wants in the request. For example, site A could easily pretend to be site B unless you come up with some clever verification scheme.

@slimanehma
Copy link
Author

Please explain how can I do this and modify the code
Thank you

@YahnisElsts
Copy link
Owner

Here are some general pointers:

  • You can extend the Wpup_UpdateServer class to customize the behaviour of the update server.
  • The correct place to check if a request meets some access requirements is the checkAuthorization() method.
  • The update server attempts to automatically extract the site URL from the User-Agent header. You can get it from $request->wpSiteUrl. However, as I mentioned earlier, someone could change that URL to basically anything they want, so this is not a foolproof way to get the URL.

So something like this:

class ExampleUpdateServer extends Wpup_UpdateServer {
	protected function checkAuthorization($request) {
		parent::checkAuthorization($request);
		
		$detectedUrl = $request->wpSiteUrl;
		if (!$this->isAllowedUrl($detectedUrl)) {
			$this->exitWithError('Site URL not allowed', 403);
		}
	}
	
	private function isAllowedUrl($siteUrl) {
		/* ... */
		return true;
	}
}

And then modify index.php to use your custom class instead of Wpup_UpdateServer.

@slimanehma
Copy link
Author

I tried to do these modifications but it didn't work for me
Please clarify in which file I should do this modification and where I should put the domain names that are allowed to download updates

@YahnisElsts
Copy link
Owner

This is not intended to be a complete solution, just a partial example that demonstrates how to do it. You'll need to be sufficiently familiar with PHP to fill in the gaps. But to expand on my earlier comments:

  • Put the custom server class anywhere you want.
  • Put the logic that checks if the site URL matches one of the allowed domain names in the isAllowedUrl() method.
  • Modify index.php to load the class.
  • Modify index.php to use your custom class instead of Wpup_UpdateServer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants