Welcome to WP-CLIWP-CLIWP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is http://wp-cli.org/https://make.wordpress.org/cli/!
WP-CLI is the official command line tool for interacting with and managing your WordPress sites.
Here it finally is, the long-awaited WP-CLIWP-CLIWP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is http://wp-cli.org/https://make.wordpress.org/cli/ release v2.5.0! For this release, we had 73 contributors collaborate to get a whopping 600 pull requests merged.
It was a very tough release to get out, as so many different systems and dependencies all broke or had issues at the same time: PHPPHPPHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. https://www.php.net/manual/en/preface.php., MySQLMySQLMySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. https://www.mysql.com/., Travis CI, Composer, Requests, … all of these produced major compatibility issues in a seemingly concerted effort! 😅
More importantly, though, I’m pretty certain that all of the WP-CLI contributors were additionally suffering under the “new normal” of COVID-19 – those contributors lucky enough to still earn regular income during the pandemic are still battling health issues (for themselves and their family), isolation and burnout.
As a maintainer, my initial plan was to devise special events and additional incentives to hopefully raise the level of contribution back up again. But I decided against doing so. Even though we all can’t wait to get a new release out and onto servers, I did not want to add to the additional pressure that the volunteer contributors are already feeling right now. The risks of burnout or other negative effects on mental health have never been so prevalent than now where everyone has to dial down their social support systems. In that perspective, I opted to knowingly go with a longer release time. I am fully aware that a lot of companies had to look into extra workarounds or similar to deal with the late release, but I had to assume that this still happens in a paid capacity. Given the global situation, this seemed more justifiable to me than moving the cost towards volunteer health instead.
Thanks to all the support I had during the extended release time, not least to the WP-CLI sponsors who have allowed me to personally invest as much time as needed into the project to make this release happen.
Now, with that being said, let’s go over some of the noteworthy changes in this release. As always, you can also skip directly to the detailed changelog if you prefer.
Security Fixes
This release fixes one direct and one upstream security vulnerability, so it is recommended for everyone to update to this latest release.
Improper Certificate Validation in WP-CLI framework
This security vulnerability is categorized as CWE-295: Improper Certificate Validation with a CSSCSSCSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. V3 severity rating of ‘high‘ and was disclosed as CVE-2021-29504 (GitHubGitHubGitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ security advisory GHSA-rwgm-f83r-v3qj).
An improper error handling in HTTPSHTTPSHTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.
The vulnerability stems from the fact that the default behavior of WP_CLI\Utils\http_request() when encountering a TLS handshake error is to disable certificate validation and retry the same request.
The default behavior has been changed with version 2.5.0 of WP-CLI and the wp-cli/wp-cli framework (via wp-cli/wp-cli#5523) so that the WP_CLI\Utils\http_request() method accepts an $insecure option that is false by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of WP_CLI\Utils\http_request(), including those in separate WP-CLI bundled or third-party packages.
Insecure Deserialization of untrusted data in upstream Requests library
The vulnerability was found in the FilteredIterator class and was first reported to the WordPress project. The security fix applied to WordPress has been ported back into the Requests library and was distributed with release v1.8.0.
Breaking Changes
The security fix for CVE-2021-29504 detailed above led to a breaking change where the retry behavior of commands that use remote requests is disabled. Furthermore, the framework is stricter in making use of the certificates that are provided via environment settings.
This means that automated systems that previously succeeded with reliable downloads of external assets can now start to fail because there is an issue with the certificate verification. This can be due to either the environment being misconfigured for certificate verification or the server to connect to actually being insecure.
To get back to the previous behavior, the affected commands now include a new --insecure flag that re-enables the insecure retrying mechanism again. Beware: This opens up these remote requests to man-in-the-middle attacks!
The following commands were affected and were adapted to recognize this new --insecure flag:
cli update
config create
config shuffle-salts
core download
core update
core verify-checksums
package install
plugin install
plugin update
plugin verify-checksums
theme install
theme update
PHP 8 support
WP-CLI now officially supports PHP 8. All commands are being extensively tested against PHP 8 and the actual development is currently being done on PHP 8 as well.
However, keep in mind that PHP 8 support is not fully there for WordPress CoreCoreCore is the set of software required to run WordPress. The Core Development Team builds WordPress., and especially for a large part of plugins and themes. Due to the nature of the changes that PHP 8 brings about, it is very easy to break perfectly compatible WordPress Core or WP-CLI via the actions/filters system. Keep this in mind when trying to diagnose PHP 8 compatibility issues and trying to deduce where the erroneous code is to be found.
Improved MySQL/MariaDB support
As it turns out, WordPress Core has not been compatible with a default MySQL database for a while now. What actually happens is that WordPress switches the database in a sort of “legacy” mode at runtime. This has caused the WP-CLI code that uses WPDB to slowly diverge in results from the code that makes direct database requests via the mysql shell binary.
This has now been rectified (at least for all of the major use cases) by letting WP-CLI employ the same “legacy” database mode via a few hacks around the mysql binary.
Package Manager is now powered by Composer v2
Composer v2 has drastically improved both the processing time as well as the memory usage of its dependency resolution mechanisms. And now the WP-CLI Package Manager that you can use via wp package * commands gets to benefit from these same improvements, at it internally uses the new Composer v2 code.
This should also make the dreaded Out-Of-Memory problems with package installation much rarer, even on shared hosting or tight Docker containers.
