WordPress.org

Make WordPress Core

Opened 3 months ago

Closed 4 weeks ago

#41752 closed defect (bug) (fixed)

Remove SWFUpload

Reported by: azaozz Owned by:
Milestone: 4.9 Priority: high
Severity: normal Version:
Component: Upload Keywords: has-patch needs-testing has-dev-note
Focuses: Cc:

Description

Development on SWFUpload stopped more than seven years ago. With WordPress' policy to keep plugins working, we had to fork it to be able to do security updates.

Currently it seems only a handful of old plugins are still using SWFUpload. It's time to say Goodbye :)

Attachments (2)

41752.patch (91.8 KB) - added by azaozz 2 months ago.
Plugins-using-SWFUpload.txt (3.5 KB) - added by azaozz 2 months ago.

Download all attachments as: .zip

Change History (17)

#1 @azaozz
3 months ago

  • Keywords needs-patch added

We would need to "refactor" the integration JS and replace SWFUpload with a standard file field so we don't break the sites that still use the old/outdated plugins.

#2 @azaozz
3 months ago

#40627 was marked as a duplicate.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


3 months ago

#4 follow-up: @westonruter
3 months ago

@azaozz it took 176m35.812s to obtain this for you 🙂

There are ~128 themes and plugins that reference swfobect on WordPress.org: https://gist.github.com/westonruter/5000413c23774155aec1840b59989c89

#5 in reply to: ↑ 4 @azaozz
3 months ago

Replying to westonruter:

Great! Thank you!

Looking through that list, most plugins and themes haven't been updated in the last couple of years. However there are few with lots of users:

wysija-newsletters
codestyling-localization
wp-all-import
profile-builder
wp-filebase
flash-album-gallery

So we will have to have some back-compat. Not full functionality, but enough to ensure there aren't any JS errors and there is an upload form field instead of the embedded Flash.

Last edited 2 months ago by azaozz (previous) (diff)

@azaozz
2 months ago

#6 @azaozz
2 months ago

  • Keywords has-patch needs-testing added; needs-patch removed
  • Priority changed from normal to high

In 41752.patch:

  • Refactor swfupload.js to output a simple upload form.
  • Delete the SWFUpload plugins directory and swfupload.swf.
  • Remove flash cookies "hack".

The patch attempts to trigger the "no flash available" mode. If it doesn't exist, it outputs a simple form with a <input type="file" /> field and a submit button. Seems to be working properly in WordPress 3.2 (last version we used SWFUpload) but will need more testing in the affected plugins: https://core.trac.wordpress.org/attachment/ticket/41752/Plugins-using-SWFUpload.txt

#7 follow-up: @seaniebyrne
2 months ago

To add additional urgency to this bug SWFUpload suffers from some security vulnerabilities that have been reported via HackerOne to Wordpress.

#8 in reply to: ↑ 7 @azaozz
2 months ago

@seaniebyrne trac is not the place to discuss security issues. If there is a submission to H1 that can be reproduced, it will be discussed there.

#9 follow-up: @seaniebyrne
2 months ago

@azaozz Understood. No details of the vuln. should be shared or discussed here. However, a POC for this vulnerability is being widely circulated right now, this should impact the severity of the bug and the urgency of the fix.

#10 in reply to: ↑ 9 @azaozz
2 months ago

Replying to seaniebyrne:

No details of the vuln. should be shared or discussed here.

Not only that. Anything related to security should not be discussed on trac. This is for the safety of all WordPress users. That's why there is a H1 account and I can assure you it has a lot higher priority than trac.

#11 @azaozz
2 months ago

Going to commit 41752.patch to make it easier to test with the affected plugins.

#12 @azaozz
2 months ago

In 41554:

Remove SWFUpload,

  • Refactor swfupload.js to output a simple upload form, and handlers.js.
  • Delete the SWFUpload plugins directory and swfupload.swf.
  • Remove flash cookies "hack" from async-upload.php.

See #41752.

This ticket was mentioned in Slack in #core by melchoyce. View the logs.


7 weeks ago

This ticket was mentioned in Slack in #core by westonruter. View the logs.


4 weeks ago

#15 @westonruter
4 weeks ago

  • Keywords has-dev-note added
  • Resolution set to fixed
  • Status changed from new to closed

Closing since there hasn't been anything reported here since it was removed.

See also dev note: https://make.wordpress.org/core/2017/09/07/removing-swfupload/

Comments there seem mostly positive without any big red flags.

Note: See TracTickets for help on using tickets.