WordPress.org

Make WordPress Core

Opened 9 months ago

Last modified 3 months ago

#24728 new enhancement

Provide option to disable / remove swfupload

Reported by: msaffitz Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upload Keywords:
Focuses: Cc:

Description

This suggestion is in response to the vulnerability discussed here: https://github.com/wordpress/secure-swfupload/issues/1

Given swfupload is deprecated, it'd be nice to provide an option to disable and/or remove it from an install to reduce potential attack surface. Ideally this could be done in such a way that plugins could detect whether swfupload were available or not, but I'm not sure how feasible that is or even if it would be ideal, since the work to implement detection would be better spent just upgrading to plupload.

Change History (4)

comment:1 nacin9 months ago

You can simply delete the wp-includes/js/swfupload/ directory.

comment:2 follow-up: msaffitz9 months ago

Would that cause issues for upgrades? (i.e. Would the files be added back on upgrade to newer versions of WP?)

comment:3 in reply to: ↑ 2 nacin9 months ago

Replying to msaffitz:

Would that cause issues for upgrades? (i.e. Would the files be added back on upgrade to newer versions of WP?)

Yeah, technically.

comment:4 nacin3 months ago

  • Component changed from General to Upload
Note: See TracTickets for help on using tickets.