On Fri, 2013-08-16 at 15:41 +0800, Christopher Meng wrote: > WordPress? > > Not easy. Two of the ones in wordpress are both in upload libraries - plupload and swfupload. Both are present in the source tarball, it doesn't look like they're built during source compile. It looks like we could lift swfupload right out with consequences that at least aren't fatal: http://make.wordpress.org/core/2013/06/21/secure-swfupload/ "WordPress does not use SWFUpload, but we continue to include it in WordPress core for plugins that have yet to be updated to use Plupload, our upload library of choice." I don't know how many plugins that affects, but at least not core WordPress. The bad news is that, as that text mentions, Plupload is Wordpress's "library of choice", and it's the other thing with a .swf file. I don't have Flash installed here so I'm not sure how vital it is to the functioning of the uploader, but it looks like it's just an alternative: http://www.plupload.com/ "Allows you to upload files using HTML5, Gears, Silverlight, Flash, BrowserPlus or normal forms" Noting the mention of Silverlight, the js/plupload directory contains also contains plupload.silverlight.xap, which I'll wager is a Silverlight blob. I'd guess that the consequence of removing both .swf and .xap wouldn't be deadly and the regular old 'boring' HTML uploaders would continue to work, and recommend that we do that, and kill swfupload. I'm a sort of stealth co-maintainer of wordpress using my provenpackager privileges, but I don't use the upload functionality at all, so I'm reluctant to do this - Remi, can you look at it at all? Thanks. Wordpress 3.6 introduces the 'mediaelement' include, and that one has yet another .swf and .xap: wp-includes/js/mediaelement/flashmediaelement.swf , wp-includes/js/mediaelement/silverlightmediaelement.xap. We'll have to deal with those too when bumping to 3.6. http://mediaelementjs.com/ says "Instead of offering an HTML5 player to modern browsers and a totally separate Flash player to older browsers, MediaElement.js upgrades them with custom Flash and Silverlight plugins that mimic the HTML5 MediaElement API.", and "HTML5 audio and video players in pure HTML and CSS.", so I'm hopeful we can just kill the blobs and not completely break stuff. Oh, for the love of God, I just found one more: wp-includes/js/tinymce/plugins/media/moxieplayer.swf https://github.com/moxiecode/moxieplayer somebody get me my gun. The inclusion of this crap in Wordpress is working out precisely as well as you'd expect: http://seclists.org/fulldisclosure/2013/Jun/256 Basically I think all of these are fallbacks of one kind or another, and we could just yank them without hurting much. But further checking is required. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
