Support » Requests and Feedback » Am I allowed to include .zip package in WordPress.Org plugin repository?

  • Resolved Tazo Todua


    Recently, we wanted to submit the plugin which contained the .zip file (external application package from official source, with it’s confirmed sha1 or whatever) that was unpacked upon plugin installation automatically.

    However, I was forbidden (plugin reviewer…) to do so, answer included that SVN is not meant to work so. But I have nowhere (neither guideline, nor other place) see that .zip shouldn’t be contained into the plugin.
    Can you point me, why I am not allowed to do so?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Samuel Wood (Otto)

    (@otto42) Admin

    The plugins team is happy to explain these things to you via email. You know those reviews we send where we tell you these things? You can reply to them. We get the replies. We answer them too.

    To answer your specific question, you were including a ZIP file and then code in the plugin to unpack that ZIP file on plugin installation. The reason that this is a bad-idea is because not all WordPress installations are the same. While doing this will work on your typical shared hosting or localhost type of setup, there are plenty of installations where direct-writing of files by the PHP process will result in files with incorrect or insecure owners or permissions.

    Not all servers run in a “setuid” mode, and thus direct writing of files, especially executable script code, is not safe in all environments. WordPress uses a system called the “WP_Filesystem” to get around this problem during upgrades, and this exists for security reasons. However, it cannot workaround the issue without user input. If you have ever seen a WordPress upgrade ask a user for FTP credentials, then now you know what that is for.

    Furthermore, having a plugin contain a ZIP file which it unzips itself is pointless, when the plugin is delivered as a ZIP file to begin with. WordPress downloads the ZIP file with the plugin, then unzips it correctly and places it in the plugin directory. Having yet a secondary unzip process is pointless when you can simply unzip your file in advance and place it directly in the plugin where it is supposed to go.

    many thanks again. nothing needs to be added by me, i now understand well…

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Am I allowed to include .zip package in WordPress.Org plugin repository?’ is closed to new replies.