#48277 closed defect (bug) (fixed)
Update plupload library to the latest version
Reported by: | Hareesh Pillai | Owned by: | desrosj |
---|---|---|---|
Milestone: | 5.4 | Priority: | normal |
Severity: | normal | Version: | |
Component: | External Libraries | Keywords: | |
Focuses: | javascript | Cc: |
Description
The version of plupload.js
bundled with WordPress is v2.1.9 (released on 2016-05-15)
The attached patch updates the library to v2.3.6
Further, the patch also updates moxie.js
from v1.3.5 to v1.5.7
Attachments (3)
Change History (19)
#3
@
5 years ago
- Keywords needs-testing added
48277.2.diff updates to the latest versions of both Moxie and plupload. In my initial testing, everything seems to working great. I tested the Media Library, and post edit screen using the Classic Editor.
@hareesh-pillai if you could give some testing to confirm, we should be able to shepherd this in next week for some soak time.
#4
@
5 years ago
- Focuses javascript added
- Keywords needs-testing removed
- Owner set to desrosj
48277.3.diff moves plupload and MoxieJS to NPM, and integrates it into the build process. To accomplish this, handlers.js
and wp-plupload.js
have been moved to the js/_enqueues/wp/plupload
folder. When WordPress is build, all files are put in the correct places.
I also made some JavaScript fixes to handlers.js
and wp-plupload.js
that are not detected by JSHint as a result of the move.
And finally, I updated the plupload-all
, plupload-html5
, etc. handles to match the new version of Plupload. This was added in [28108] for back-compat and the versions matched then, but the version fell out of sync with future updates.
#5
@
5 years ago
I forgot to mention that this results in the license.txt
being removed. I couldn't find any other packages included through NPM that also included a license file. This can be easily added to the copy task in Grunt if anyone feels it should remain.
#9
@
5 years ago
Since we can’t use newer versions from upstream is there a plan to replace this versus keeping something we can’t update from upstream anymore?
#10
follow-up:
↓ 12
@
4 years ago
- Component changed from External Libraries to General
- Resolution fixed deleted
- Severity changed from normal to critical
- Status changed from closed to reopened
- Type changed from enhancement to defect (bug)
Hi WP support,
I having the issue as stated as below, any idea to fix this at your end?
plupload 2.3.1 -- Found licenses in the 'Banned' license threat group ('AGPL-3.0')
Policy/Action : License-Banned
Constraint Name : License not approved in any situation
Conditions : Found licenses in the 'Banned' license threat group ('AGPL-3.0')
OCCURRENCES
plupload.js located at sst-imdx-dev.zip/sst-imdx-dev/wp-includes/js/plupload
plupload.min.js located at sst-imdx-dev.zip/sst-imdx-dev/wp-includes/js/plupload
VULNERABILITIES
The plupload package is vulnerable to DOM Based Cross-Site Scripting (XSS). The _addFiles() function of jquery.ui.plupload.js file allows HTML in the filename to be rendered upon upload. An attacker can exploit this vulnerability by crafting a file upload link containing a malicious filename and enticing the user to click on that link, which, when rendered, results in a DOM XSS attack.
DETECTION
The application is vulnerable by using this component.
RECOMMENDATION
There is no non vulnerable version of this package. We recommend investigating alternative components or a potential mitigating control.
ROOT CAUSE
plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0, )
plupload-2.3.1.tgzpackage/src/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0, )
plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.min.js[2.2.0, )
Looking for hearing you soon. Thanks.
#12
in reply to:
↑ 10
@
4 years ago
- Keywords close added; has-patch early removed
Replying to tlterry:
I having the issue as stated as below, any idea to fix this at your end?
plupload 2.3.1 -- Found licenses in the 'Banned' license threat group ('AGPL-3.0')
WordPress includes Plupload 2.1.9 as that is the latest GPL compatible release. See https://core.trac.wordpress.org/ticket/48277?replyto=10#comment:7 and https://core.trac.wordpress.org/ticket/48277?replyto=10#comment:8.
VULNERABILITIES
The plupload package is vulnerable to DOM Based Cross-Site Scripting (XSS). The _addFiles() function of jquery.ui.plupload.js file allows
There is no jquery.ui.plupload.js
file in WordPress. It is part of the optional "jQuery UI Widget" package for Plupload that was never used in WP.
ROOT CAUSE
plupload-2.3.1.tgzpackage/js/jquery.ui.plupload/jquery.ui.plupload.js[2.2.0, )
As mentioned above WordPress uses Plupload version 2.1.9 and does not include the above file. Seems this report was made in error.
In addition, it is imperative to make any security related reports on https://hackerone.com/wordpress. Posting them on trac is not acceptable for security reasons.
#13
@
4 years ago
- Keywords close removed
- Resolution set to fixed
- Severity changed from critical to normal
- Status changed from reopened to closed
For reference, here is a complete list of changes from version 2.1.9 to 2.3.6: https://github.com/moxiecode/plupload/compare/v2.1.9...v2.3.6.
It also seems that there is a newer version, 3.1.2 (and Moxie 1.5.8). We should try to update to this version instead (if possible). A list of changes from version 2.1.9 to 3.1.2: https://github.com/moxiecode/plupload/compare/v2.1.9...v3.1.2
Adding
early
so this can receive lots of testing.