Opened 3 years ago
Closed 3 years ago
#41752 closed defect (bug) (fixed)
Remove SWFUpload
Reported by: | azaozz | Owned by: | |
---|---|---|---|
Milestone: | 4.9 | Priority: | high |
Severity: | normal | Version: | |
Component: | Upload | Keywords: | has-patch needs-testing has-dev-note |
Focuses: | Cc: |
Description
Development on SWFUpload stopped more than seven years ago. With WordPress' policy to keep plugins working, we had to fork it to be able to do security updates.
Currently it seems only a handful of old plugins are still using SWFUpload. It's time to say Goodbye :)
Attachments (2)
Change History (17)
This ticket was mentioned in Slack in #core by jeffpaul. View the logs.
3 years ago
#4
follow-up:
↓ 5
@
3 years ago
@azaozz it took 176m35.812s to obtain this for you 🙂
There are ~128 themes and plugins that reference swfobect on WordPress.org: https://gist.github.com/westonruter/5000413c23774155aec1840b59989c89
#5
in reply to:
↑ 4
@
3 years ago
Replying to westonruter:
Great! Thank you!
Looking through that list, most plugins and themes haven't been updated in the last couple of years. However there are few with lots of users:
wysija-newsletters
codestyling-localization
wp-all-import
profile-builder
wp-filebase
flash-album-gallery
So we will have to have some back-compat. Not full functionality, but enough to ensure there aren't any JS errors and there is an upload form field instead of the embedded Flash.
#6
@
3 years ago
- Keywords has-patch needs-testing added; needs-patch removed
- Priority changed from normal to high
In 41752.patch:
- Refactor
swfupload.js
to output a simple upload form. - Delete the SWFUpload plugins directory and swfupload.swf.
- Remove flash cookies "hack".
The patch attempts to trigger the "no flash available" mode. If it doesn't exist, it outputs a simple form with a <input type="file" />
field and a submit button. Seems to be working properly in WordPress 3.2 (last version we used SWFUpload) but will need more testing in the affected plugins: https://core.trac.wordpress.org/attachment/ticket/41752/Plugins-using-SWFUpload.txt
#7
follow-up:
↓ 8
@
3 years ago
To add additional urgency to this bug SWFUpload suffers from some security vulnerabilities that have been reported via HackerOne to Wordpress.
#8
in reply to:
↑ 7
@
3 years ago
@seaniebyrne trac is not the place to discuss security issues. If there is a submission to H1 that can be reproduced, it will be discussed there.
#9
follow-up:
↓ 10
@
3 years ago
@azaozz Understood. No details of the vuln. should be shared or discussed here. However, a POC for this vulnerability is being widely circulated right now, this should impact the severity of the bug and the urgency of the fix.
#10
in reply to:
↑ 9
@
3 years ago
Replying to seaniebyrne:
No details of the vuln. should be shared or discussed here.
Not only that. Anything related to security should not be discussed on trac. This is for the safety of all WordPress users. That's why there is a H1 account and I can assure you it has a lot higher priority than trac.
#11
@
3 years ago
Going to commit 41752.patch to make it easier to test with the affected plugins.
This ticket was mentioned in Slack in #core by melchoyce. View the logs.
3 years ago
This ticket was mentioned in Slack in #core by westonruter. View the logs.
3 years ago
#15
@
3 years ago
- Keywords has-dev-note added
- Resolution set to fixed
- Status changed from new to closed
Closing since there hasn't been anything reported here since it was removed.
See also dev note: https://make.wordpress.org/core/2017/09/07/removing-swfupload/
Comments there seem mostly positive without any big red flags.
We would need to "refactor" the integration JS and replace SWFUpload with a standard
file
field so we don't break the sites that still use the old/outdated plugins.