Make WordPress Core

Opened 3 weeks ago

Last modified 10 hours ago

#41752 new defect (bug)

Remove SWFUpload

Reported by: azaozz Owned by:
Milestone: 4.9 Priority: high
Severity: normal Version:
Component: Upload Keywords: has-patch needs-testing
Focuses: Cc:


Development on SWFUpload stopped more than seven years ago. With WordPress' policy to keep plugins working, we had to fork it to be able to do security updates.

Currently it seems only a handful of old plugins are still using SWFUpload. It's time to say Goodbye :)

Attachments (2)

41752.patch (91.8 KB) - added by azaozz 12 days ago.
Plugins-using-SWFUpload.txt (3.5 KB) - added by azaozz 12 days ago.

Download all attachments as: .zip

Change History (14)

#1 @azaozz
3 weeks ago

  • Keywords needs-patch added

We would need to "refactor" the integration JS and replace SWFUpload with a standard file field so we don't break the sites that still use the old/outdated plugins.

#2 @azaozz
3 weeks ago

#40627 was marked as a duplicate.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.

3 weeks ago

#4 follow-up: @westonruter
3 weeks ago

@azaozz it took 176m35.812s to obtain this for you 🙂

There are ~128 themes and plugins that reference swfobect on WordPress.org: https://gist.github.com/westonruter/5000413c23774155aec1840b59989c89

#5 in reply to: ↑ 4 @azaozz
3 weeks ago

Replying to westonruter:

Great! Thank you!

Looking through that list, most plugins and themes haven't been updated in the last couple of years. However there are few with lots of users:


So we will have to have some back-compat. Not full functionality, but enough to ensure there aren't any JS errors and there is an upload form field instead of the embedded Flash.

Last edited 2 weeks ago by azaozz (previous) (diff)

12 days ago

#6 @azaozz
12 days ago

  • Keywords has-patch needs-testing added; needs-patch removed
  • Priority changed from normal to high

In 41752.patch:

  • Refactor swfupload.js to output a simple upload form.
  • Delete the SWFUpload plugins directory and swfupload.swf.
  • Remove flash cookies "hack".

The patch attempts to trigger the "no flash available" mode. If it doesn't exist, it outputs a simple form with a <input type="file" /> field and a submit button. Seems to be working properly in WordPress 3.2 (last version we used SWFUpload) but will need more testing in the affected plugins: https://core.trac.wordpress.org/attachment/ticket/41752/Plugins-using-SWFUpload.txt

#7 follow-up: @seaniebyrne
14 hours ago

To add additional urgency to this bug SWFUpload suffers from some security vulnerabilities that have been reported via HackerOne to Wordpress.

#8 in reply to: ↑ 7 @azaozz
13 hours ago

@seaniebyrne trac is not the place to discuss security issues. If there is a submission to H1 that can be reproduced, it will be discussed there.

#9 follow-up: @seaniebyrne
13 hours ago

@azaozz Understood. No details of the vuln. should be shared or discussed here. However, a POC for this vulnerability is being widely circulated right now, this should impact the severity of the bug and the urgency of the fix.

#10 in reply to: ↑ 9 @azaozz
13 hours ago

Replying to seaniebyrne:

No details of the vuln. should be shared or discussed here.

Not only that. Anything related to security should not be discussed on trac. This is for the safety of all WordPress users. That's why there is a H1 account and I can assure you it has a lot higher priority than trac.

#11 @azaozz
13 hours ago

Going to commit 41752.patch to make it easier to test with the affected plugins.

#12 @azaozz
10 hours ago

In 41554:

Remove SWFUpload,

  • Refactor swfupload.js to output a simple upload form, and handlers.js.
  • Delete the SWFUpload plugins directory and swfupload.swf.
  • Remove flash cookies "hack" from async-upload.php.

See #41752.

Note: See TracTickets for help on using tickets.