Remove SWFUpload

[azaozz]

Development on ​SWFUpload stopped more than seven years ago. With WordPress' policy to keep plugins working, we had to ​fork it to be able to do security updates.

Currently it seems only a handful of old plugins are still using SWFUpload. It's time to say Goodbye :)

[azaozz]

We would need to "refactor" the integration JS and replace SWFUpload with a standard file field so we don't break the sites that still use the old/outdated plugins.

[azaozz]

#40627 was marked as a duplicate.

[westonruter]

@azaozz it took 176m35.812s to obtain this for you 🙂

There are ~128 themes and plugins that reference swfobect on WordPress.org: ​https://gist.github.com/westonruter/5000413c23774155aec1840b59989c89

[azaozz]

Replying to westonruter:

Great! Thank you!

Looking through that list, most plugins and themes haven't been updated in the last couple of years. However there are few with lots of users:

wysija-newsletters
codestyling-localization
wp-all-import
profile-builder
wp-filebase
flash-album-gallery

So we will have to have some back-compat. Not full functionality, but enough to ensure there aren't any JS errors and there is an upload form field instead of the embedded Flash.

[azaozz]

In 41752.patch:

• Refactor swfupload.js to output a simple upload form.
• Delete the SWFUpload plugins directory and swfupload.swf.
• Remove flash cookies "hack".

The patch attempts to trigger the "no flash available" mode. If it doesn't exist, it outputs a simple form with a <input type="file" /> field and a submit button. Seems to be working properly in WordPress 3.2 (last version we used SWFUpload) but will need more testing in the affected plugins: https://core.trac.wordpress.org/attachment/ticket/41752/Plugins-using-SWFUpload.txt

[seaniebyrne]

To add additional urgency to this bug SWFUpload suffers from some security vulnerabilities that have been reported via HackerOne to Wordpress.

[azaozz]

@seaniebyrne trac is not the place to discuss security issues. If there is a submission to H1 that can be reproduced, it will be discussed there.

[seaniebyrne]

@azaozz Understood. No details of the vuln. should be shared or discussed here. However, a POC for this vulnerability is being widely circulated right now, this should impact the severity of the bug and the urgency of the fix.

[azaozz]

Replying to seaniebyrne:

No details of the vuln. should be shared or discussed here.

Not only that. Anything related to security should not be discussed on trac. This is for the safety of all WordPress users. That's why there is a H1 account and I can assure you it has a lot higher priority than trac.

[azaozz]

Going to commit 41752.patch to make it easier to test with the affected plugins.

[azaozz]

In 41554:

Remove SWFUpload,

• Refactor swfupload.js to output a simple upload form, and handlers.js.
• Delete the SWFUpload plugins directory and swfupload.swf.
• Remove flash cookies "hack" from async-upload.php.

See #41752.

[westonruter]

Closing since there hasn't been anything reported here since it was removed.

See also dev note: ​https://make.wordpress.org/core/2017/09/07/removing-swfupload/

Comments there seem mostly positive without any big red flags.