Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2015-11-02 09:00:23

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

RFC: Remove .swf support from the image panel

I read about a recent incident of an ad network being compromised and it got me thinking about Shockwave Flash, known by its file extension .swf and commonly known online as Flash.

Flash as a medium is outdated, can be unsafe and — in some instances — highly dangerous. And yet it’s trivial to upload as in image in Textpattern. Currently there’s no option to upload SVG files in Textpattern core, but SWF is permitted. The modern web is more SVG-friendly than SWF-friendly, especially where Flash plugins don’t exist for a given mobile platform. That said, SVG files can have JavaScript embedded within them, and I’m not proposing a straight trade with SWF out and SVG in.

I propose to remove the ability to upload SWF files in Textpattern in a future minor release (4.6 or 4.7) on the grounds it’s antiquated and can be a risk.

Edit: aside from any risk (implied, expressed or otherwise), building a tag with <txp:image /> on a SWF doesn’t appear to work as it should, so if support continues it should ideally be fixed.

Last edited by gaekwad (2015-11-02 14:40:39)

Offline

#2 2015-11-02 10:56:15

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: RFC: Remove .swf support from the image panel

Seems reasonable, can you please raise on issue Pete.

Cheers.

Offline

#3 2015-11-02 11:08:28

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: RFC: Remove .swf support from the image panel

That was quick. Done: #581

Edit: closed the issue for now, pending feedback from RFC here.

Last edited by gaekwad (2015-11-02 11:52:48)

Offline

#4 2015-11-02 11:10:49

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,323
Website Mastodon

Re: RFC: Remove .swf support from the image panel

Please be aware that uploading of .SWF images requires the image.create.trusted privilege.

In the default configuration this privilege is granted to Publishers, Managing Editors, Copy Editors, and Designers.

These are the same people who can already execute PHP, edit the site’s presentation and set preferences.

I fail to understand how they would attempt to hack a site with a .SWF file when these much simpler methods are at their disposal.

Pete, care to expand on the risks you think your proposal would mitigate?

Offline

#5 2015-11-02 11:11:06

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: RFC: Remove .swf support from the image panel

And perhaps another issue to add .svg support

Offline

#6 2015-11-02 11:51:27

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: RFC: Remove .swf support from the image panel

wet wrote #296370:

Pete, care to expand on the risks you think your proposal would mitigate?

Sure, I’ll try. I understand that user rights to upload and replace SWF images are restricted to senior staff, and there are numerous other ways to monkey around with a website given the appropriate login, but I’ve been involved in two cross-site scripting recoveries on client sites and the link I posted in the OP triggered a memory of those incidents. In one case, and this is a couple of years ago, a SWF was replaced with an identically-named rogue SWF. The breach was ultimately down to a hacked email account and locating an unchanged Textpattern-supplied password on one of the non-Publisher accounts. The second incident was similar in the end result (XSS and drive-by malware download) with a replaced SWF, but it was less clear how it occurred: pages and forms matched known-good backups, so no other hacked parts.

I don’t use the images or files panels, but I know clients who do – and they don’t give much thought to what goes in there. The (admittedly small) concern that I have is that continuing to allow SWF uploads gives it a pseudo seal of approval when Flash is bad news from a security side of things. I haven’t ever used Flash stuff outside of SWFObject and ZeroClipboard, both of which I’ve compiled from open sourced code.

Yes, sure, a person with sufficient rights could upload a SWF via files and the construct the embed code themselves, or edit a page, or a form, or FTP the sucker in, and so on. There are easier, less convoluted ways of doing the deed, but this avenue of ‘hey, upload your SWF here’ worries me a little, especially looking at the CVE list linked above.

SVG may well be a can of worms, I agree it’s not without fault, but the trend seems to be headed that way over SWFs. A PNG’s metadata can inject iframe stuff, it’s not exploit-free; low risk, sure, but PNG isn’t strictly ‘safe’ in every sense.

I’ve re-read the above text a few times and this is not a strong proposal. That’s partly the reason for the RFC rather than a pull request.

Last edited by gaekwad (2015-11-02 11:54:34)

Offline

#7 2015-11-02 14:24:18

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: RFC: Remove .swf support from the image panel

When a SWF is uploaded and managed via the images panel, how is the code built to embed it?

I can’t find any SWF-specific code in <txp:image> that builds the right scaffolding. JPG and PNG files use img, whereas SWF uses embed. If I use this code, where my uploaded SWF is test.swf from SWFObject and has the ID 1:

<txp:image id="1" />

It renders this:

<img src="http://example.com/images/1.swf" alt="" width="300" height="120">

That doesn’t work, because SWF needs embed code, like this:

<embed src="http://example.com/images/1.swf" alt="" width="300" height="120">

Respectfully, if there’s SWF support, image should build the HTML with embed so it works and, ideally, validates.

Last edited by gaekwad (2015-11-03 08:00:06)

Offline

#8 2015-11-02 15:19:31

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,379
Website GitHub Mastodon

Re: RFC: Remove .swf support from the image panel

+1

But I am hopelessly biased because I am so sick of Flash that I actively turn off Flash support in every browser I use.

Offline

#9 2015-11-02 18:06:49

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: RFC: Remove .swf support from the image panel

I never saw swf as been supported apart from beeing one of the extensions allowed to be uploaded in the images tab so +1 for dropping it. If anyone wants to use it, the files tab could easily accommodate it.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#10 2015-11-02 19:35:31

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: RFC: Remove .swf support from the image panel

I never saw why .swf support was on the Images panel anyway. What exactly has a flash file got to do with images? Apart from it having the capability to act like a scriptable flicker book. Might be something obvious about the format I’ve missed. Like, maybe it’s better than gif89a at animation or something.

I’d axe support if nobody bats more than half an eyelid (here or on G+) to the proposal to remove it.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#11 2015-11-02 21:04:45

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: RFC: Remove .swf support from the image panel

I would not be bothered if it were to go. Not used Flash in years. The only real use it has now is as a video wrapper – but even then there are much better alternatives.

Offline

#12 2015-11-02 22:15:04

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,373

Re: RFC: Remove .swf support from the image panel

Kill it.

Offline

Board footer

Powered by FluxBB