Make WordPress Core

Opened 9 months ago

Closed 3 months ago

#48277 closed defect (bug) (fixed)

Update plupload library to the latest version

Reported by: Hareesh Pillai Owned by: desrosj
Milestone: 5.4 Priority: normal
Severity: normal Version:
Component: External Libraries Keywords:
Focuses: javascript Cc:


The version of plupload.js bundled with WordPress is v2.1.9 (released on 2016-05-15)
The attached patch updates the library to v2.3.6

Further, the patch also updates moxie.js from v1.3.5 to v1.5.7

Link: https://github.com/moxiecode/plupload/releases

Attachments (3)

48277.diff (372.0 KB) - added by Hareesh Pillai 9 months ago.
48277.2.diff (788.0 KB) - added by desrosj 9 months ago.
48277.3.diff (414.6 KB) - added by desrosj 8 months ago.

Download all attachments as: .zip

Change History (16)

#1 @SergeyBiryukov
9 months ago

  • Milestone changed from Awaiting Review to 5.4

#2 @desrosj
9 months ago

  • Keywords early added

For reference, here is a complete list of changes from version 2.1.9 to 2.3.6: https://github.com/moxiecode/plupload/compare/v2.1.9...v2.3.6.

It also seems that there is a newer version, 3.1.2 (and Moxie 1.5.8). We should try to update to this version instead (if possible). A list of changes from version 2.1.9 to 3.1.2: https://github.com/moxiecode/plupload/compare/v2.1.9...v3.1.2

Adding early so this can receive lots of testing.

9 months ago

#3 @desrosj
9 months ago

  • Keywords needs-testing added

48277.2.diff updates to the latest versions of both Moxie and plupload. In my initial testing, everything seems to working great. I tested the Media Library, and post edit screen using the Classic Editor.

@hareesh-pillai if you could give some testing to confirm, we should be able to shepherd this in next week for some soak time.

8 months ago

#4 @desrosj
8 months ago

  • Focuses javascript added
  • Keywords needs-testing removed
  • Owner set to desrosj

48277.3.diff moves plupload and MoxieJS to NPM, and integrates it into the build process. To accomplish this, handlers.js and wp-plupload.js have been moved to the js/_enqueues/wp/plupload folder. When WordPress is build, all files are put in the correct places.

I also made some JavaScript fixes to handlers.js and wp-plupload.js that are not detected by JSHint as a result of the move.

And finally, I updated the plupload-all, plupload-html5, etc. handles to match the new version of Plupload. This was added in [28108] for back-compat and the versions matched then, but the version fell out of sync with future updates.

#5 @desrosj
8 months ago

I forgot to mention that this results in the license.txt being removed. I couldn't find any other packages included through NPM that also included a license file. This can be easily added to the copy task in Grunt if anyone feels it should remain.

#6 @desrosj
8 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 46634:

External Libraries: Update Plupload from 2.1.9 to 2.3.6.

This change also updates the MoxieJS dependency from 1.3.5 to 1.5.7, converts Plupload to a dependency in NPM, and integrates all relevant parts into the build process.

For a full list of upstream changes, see https://github.com/moxiecode/plupload/compare/v2.1.9...v2.3.6.

Props desrosj, hareesh-pillai.
Fixes #48277.

#7 follow-up: @desrosj
8 months ago

In 46638:

External Libraries: Revert [46634-46635].

On further investigation, Plupload changed it’s license to a non-GPL compatible license. The newest, GPL compatible version is being used already in Core.

Unprops desrosj.
See #48277.

#8 in reply to: ↑ 7 @azaozz
8 months ago

Replying to desrosj:

Right, the Plupload license has changed from GPLv2 to AGPL after version 2.1.9. WordPress already includes the latest compatible version of it. There were some other fixes/changes there too. See #40158 and #41755.

#9 @nasiralamreeki
8 months ago

Since we can’t use newer versions from upstream is there a plan to replace this versus keeping something we can’t update from upstream anymore?

#10 follow-up: @tlterry
3 months ago

  • Component changed from External Libraries to General
  • Resolution fixed deleted
  • Severity changed from normal to critical
  • Status changed from closed to reopened
  • Type changed from enhancement to defect (bug)

Hi WP support,
I having the issue as stated as below, any idea to fix this at your end?

plupload 2.3.1 -- Found licenses in the 'Banned' license threat group ('AGPL-3.0')

Policy/Action : License-Banned
Constraint Name : License not approved in any situation
Conditions : Found licenses in the 'Banned' license threat group ('AGPL-3.0')

plupload.js located at sst-imdx-dev.zip/sst-imdx-dev/wp-includes/js/plupload
plupload.min.js located at sst-imdx-dev.zip/sst-imdx-dev/wp-includes/js/plupload
The plupload package is vulnerable to DOM Based Cross-Site Scripting (XSS). The _addFiles() function of jquery.ui.plupload.js file allows HTML in the filename to be rendered upon upload. An attacker can exploit this vulnerability by crafting a file upload link containing a malicious filename and enticing the user to click on that link, which, when rendered, results in a DOM XSS attack.

The application is vulnerable by using this component.

There is no non vulnerable version of this package. We recommend investigating alternative components or a potential mitigating control.

plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0, )
plupload-2.3.1.tgzpackage/src/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0, )
plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.min.js[2.2.0, )

Looking for hearing you soon. Thanks.

#11 @SergeyBiryukov
3 months ago

  • Component changed from General to External Libraries

#12 in reply to: ↑ 10 @azaozz
3 months ago

  • Keywords close added; has-patch early removed

Replying to tlterry:

I having the issue as stated as below, any idea to fix this at your end?

plupload 2.3.1 -- Found licenses in the 'Banned' license threat group ('AGPL-3.0')

WordPress includes Plupload 2.1.9 as that is the latest GPL compatible release. See https://core.trac.wordpress.org/ticket/48277?replyto=10#comment:7 and https://core.trac.wordpress.org/ticket/48277?replyto=10#comment:8.

The plupload package is vulnerable to DOM Based Cross-Site Scripting (XSS). The _addFiles() function of jquery.ui.plupload.js file allows

There is no jquery.ui.plupload.js file in WordPress. It is part of the optional "jQuery UI Widget" package for Plupload that was never used in WP.

plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0, )

As mentioned above WordPress uses Plupload version 2.1.9 and does not include the above file. Seems this report was made in error.

In addition, it is imperative to make any security related reports on https://hackerone.com/wordpress. Posting them on trac is not acceptable for security reasons.

#13 @SergeyBiryukov
3 months ago

  • Keywords close removed
  • Resolution set to fixed
  • Severity changed from critical to normal
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.