Comments (14)
(dot) files are blocked by the theme uploader already.
see https://github.com/Otto42/theme-check/blob/master/checks/filenames.php
from wpthemereview.
We may have some other sniffs in the future for text files. As the text file would normally only contain text we would not need to tokenize but process it differently. I am also thinking about the readme validator for plugins https://wordpress.org/plugins/about/validator/.
from wpthemereview.
Is there a possibility for txt files to get renamed to php or js, or would this be found by the File System functions check?
from wpthemereview.
Is there a possibility for txt files to get renamed to php or js, or would this be found by the File System functions check?
@joyously I'm not sure what you mean. Could you elaborate a bit ?
from wpthemereview.
I was just thinking that a file could be named with a txt extension, but have code in it. I didn't know if all the code checks would be run on the txt file, or if the check for File System calls (such as rename) would catch code that tries to rename one of the theme files.
from wpthemereview.
I was just thinking that a file could be named with a txt extension, but have code in it.
Files with a .txt
extension will not be executed by the server, so we don't really need to concern ourselves with those for the code specific checks. Similarly, a browser won't execute js code found in a .txt
file.
(well, ok, they could be executed, but only if you apply some very dirty .htaccess hacks which will get you banned from any reputable webhost. Actually - it might not be a bad idea to check that a theme does not contain any .htaccess
files for that matter).
if the check for File System calls (such as rename) would catch code that tries to rename one of the theme files
Interesting thought (and scary). I'd have to check what the specific rule is here about file system calls, but if they are forbidden, then yes, they would (should) catch attempts to rename files.
But a theme - or plugin - for that matter, renaming files within their own installed code base is something I've not come across before and sounds wickedly evil.
from wpthemereview.
Oh and @joyously - if you believe either of those points should be turned into sniffs, please open separate issues for them. This issue is specifically about the line ending check for txt files.
from wpthemereview.
@jrfnl Somehow when I read this sniff, my mind returned to an old article I read recently
http://ottopress.com/2010/anatomy-of-a-theme-malware/ and other articles I've read about putting data on the end of a jpg, and I wondered if you could trust file extensions, and whether these sniffs are run only on certain files(according to file extensions). And it seems that even going through the WordPress File System would allow you to rename(move) a file. I'm not devious enough to be a hacker, and I don't know enough about this sniff code to know how to contribute except to ask my original questions.
from wpthemereview.
There are ways to check files for mimetype - that would give some indication if for instance a .zip
file would have been renamed to .txt
, it could flag that.
But this is not a catch-all (though could catch a lot).
from wpthemereview.
Possibly related with @joyously 's comment : Also think about things like include('my_php_file_with_wrong_file_extension.txt')
.
With all the ugly spaghetti horror scenarios I've had to work with in the last 2 years - mostly takeover jobs - I see that as a definite possibilty. Yep, its insane, but there are so many insane "btw: I'm originally a print graphic designer and never properly learned PHP"-self declared developers that have no clue what they're doing, mostly copy-and-pasting themselves through "programming" .. I'd call it a given.
cu, w0lf.
ps: maybe it'd help gathering all those nut jobs / nut cases once in a while and then use that to create better testing routines? Its mostly crappy premium themes, too many folks having worked (or ARE working) on the same job, or above described apocalyptic scenario.
from wpthemereview.
maybe it'd help gathering all those nut jobs / nut cases once in a while and then use that to create better testing routines?
Creating new unit tests for sniffs is incredibly easy. Please feel invited to start creating/adding them. The better the test cases we have, the better sniffs we can create ;-)
from wpthemereview.
This should be solved by #3
from wpthemereview.
This should be solved by #3
Actually, no, it shouldn't. #3 deals with PHP, CSS and JS files. This issue is about the same for TXT files.
from wpthemereview.
While this may be needed for the wp.org markdown parser, this is not something which can be checked for by PHPCS. If we tell PHPCS to parse txt
files as PHP, it would possibly also trigger on example code contained in the readme, thus creating false positives we don't want.
This would be better solved from within the Theme Check plugin itself, just scanning the readme.txt
file.
from wpthemereview.
Related Issues (20)
- variables in template files are flagged as global HOT 15
- Exceptions to prefixing hook names HOT 7
- False positive on loading stylesheet in JS file HOT 4
- [New sniff] WC template versions HOT 7
- Dealing with rules that shouldn't apply to templates HOT 1
- Add sniff: WordPress.PHP.IniSet HOT 6
- [New sniff] Check if page templates are using reserved prefix HOT 1
- Detect WPTRT feature project versions HOT 3
- Add sniff documentation HOT 1
- Minimal PHP version HOT 11
- Whitelist wp_body_open function from PrefixAllGlobals sniff HOT 5
- sniff: plugin territory - action hook wp_edit_nav_menu_walker
- File name with reserved slug in subfolder HOT 11
- Optimisation and minor grammar fixes
- [Implement sniff] Warn about short ternary usage in themes HOT 9
- Internal.Exception -- function update_current_version() should be removed.
- [Update existing sniff] Allow register_block_style HOT 1
- Allow `add_menu_page` & `add_submenu_page` HOT 9
- twentyseventeen theme: posts with no date - but date is shown in similar posts HOT 1
- 👍
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wpthemereview.