Support » Plugin: WebP Express » Unsecure

  • igortitarenko

    (@igortitarenko)


    Works as promised. Options page is friendly and informative (which is synonym of “friendly” for me here).

    UPD 15/06/2019:
    Looks like plugin developer is unaware of basic security practices. Getting rid of it. Review the code before installing.

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author rosell.dk

    (@roselldk)

    I have reviewed security thoroughly. If you find any issues still there, please let me know! You can email me at the address found on my website, https://www.bitwise-it.dk/contact

    Plugin Author rosell.dk

    (@roselldk)

    PS: the WordPress security team has reviewed 0.14.11 and found no issues.

    Why there is still no information in the changelog about security issues that were fixed?

    Plugin Author rosell.dk

    (@roselldk)

    Ah. I’m not sure how much information I should be spreading about security efforts. There might be hackers who have set up robots to scan release notes for words about security.

    Hackers? You do realize that your code is out there for everyone to see and analyze, right?

    You should be publicly disclosing security issues and security fixes. As responsible and adequate developers do. Like:

    – Security fix: removed long forgotten test file that could allow attacker…
    File remained since version x.x (for the past x months). Whether it was exploited in the wild is unknown. Make sure you’re safe.
    – Security fix: Added capability checks to options page.
    – Security fix: Sanitized user input.
    – Security fix: Added checks for file paths and directories.
    – Security fix: Nonces and capability checks for AJAX calls.

    If your plugin gets removed from WordPress repository because of critical security issues and you comment it in the changelog as “A little something” people like me give you one star review with warning for other users.

    • This reply was modified 2 weeks, 5 days ago by  igortitarenko.
    Plugin Author rosell.dk

    (@roselldk)

    Well, I was unsure if I should add it or not. I choose not to, because of that uncertainty. I was very busy fixing security so had not much time to go research this. This is my first plugin so forgive me for not being in a routine with regards to these procedures. My choice not to do was what I thought was the responsible thing to do. I’m leaving for a long vacation in four days so I was really in a haste. If I did not fix the security issues and got the plugin reactivated, 30.000 people would not get any of the security fixes at all in four weeks. – As long as the plugin is deactivated, no-one gets any security fixes. I did the responsible thing and stayed up late at night working on security. I did the responsible thing and prioritized this over things that were overdue with my customers. I still need to do my tax, write a bunch of invoices, and do various personal things before the vacation. All this, I pushed, out of responsibility. So well, irresponsible is perhaps not what I am. Though I admit that it is criticizable and even irresponsible that I wasn’t following security practices in the first place. This was a wake up call.

    With regards to how many stars I get, this is really of no importance to me (although I admit it feels nice when I get a 5 star review, like you gave me in the first place 🙂

    It was quite irresponsible to disregard security like that, yes. Coding and development for WP must come together with understanding of PHP and WP security practices. We, 30.000 people, kinda rely on that.

    Which is not really my point.
    I’m just pointing out that your keeping security fixes out of plugin changelog raises questions and concerns.
    And the fact that your coding skills don’t/didn’t come with basic understanding of PHP and WP security surely doesn’t help it.

    You messed up. It happens. But there is a proper way of handling it publicly, so people don’t need to ask questions on support forum and on GitHub about why plugin was removed from WP repository and what the hell is going on.

    My 5 star review was to the functionality. And it still stays.
    My 1 star review is to security and handling security fixes disclosure.

    Good luck and have fun.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    PS: the WordPress security team has reviewed 0.14.11 and found no issues.

    @roselldk That is not at all what we said. What we said was the review did not promise you’d made your plugin 100% secure, and urged you to perform a full top-down review, since you’re more familiar with your code than we are. We looked for a great many things and found them resolved.

    We also recommend developers disclose security issues that have been resolved, but we don’t require they do so immediately (or in fact at all).

    Once your plugin has been closed, those scanners are already out there looking at your plugin. It’s generally considered best practice to at least state that there WERE security issues, and then later on explain everything after a week or so.

    @igortitarenko You have good intentions here, we can see that, but please remember to respect everyone as fellow human beings. Your approach here is very antagonistic and aggressive, which rarely encourages people to want to work with you.

    I’ve flagged your account for moderation, which means your future posts will need to be approved. This is simply because I get the feeling you’re frustrated and angry, which is fair. We’d just rather you not lash out and hurt yourself, or anyone else right now 🙂 Take a break. It’s okay.

    Plugin Author rosell.dk

    (@roselldk)

    Ok, I’ll announce it then 🙂 (tommorrow)

    And well, I guess it is not incorrect to say that the security team didn’t find any issues. But of course it is not the whole story. And ok, I can see that I should have written the whole story or none.

Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this review.