I would NOT let it in, take a look at the code again, he has split the function base64_decode() into base64 '_' decode to get round the uploader<br><br><div class="gmail_quote">On 4 November 2011 18:29, Edward Caissie <span dir="ltr"><<a href="mailto:edward.caissie@gmail.com">edward.caissie@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Given that the obscured code is not a posing any concerns I would be tempted to let it through, but that just leads to potential unscrupulous updates; not that I would expect them but part of the reasoning behind not allowing base64 encoded items is to keep the theme code "human-readable" as the repository should be used as a learning tool besides it's more commonly associated distribution service functionality.<br>
<br>I would be interested in what compelled the author to choose to encode this link, even as a "Mallory-Everest" idea it does not fit with the "spirit of the repository".<br><br><br clear="all">Cais.<div class="HOEnZb">
<div class="h5"><br>
<br><br><div class="gmail_quote">On Fri, Nov 4, 2011 at 4:57 AM, Mikkel W. Breum <span dir="ltr"><<a href="mailto:mikkel@wpkitchen.com" target="_blank">mikkel@wpkitchen.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div>Hi Tyler</div><div><br></div><div>The code is trying to hide that it's adding a credit link to the author. It's not doing anything dangerous, but it's not allowed. </div>
You can take the entire code and replace all the encoded strings with the decode version (use <a href="http://www.opinionatedgeek.com/dotnet/tools/base64decode/" target="_blank">http://www.opinionatedgeek.com/dotnet/tools/base64decode/</a> or a similar tool for that) then You'll see that its just encoded strings representing some links and even the name of the base64_decode function.<div>
<br></div><div>When run in its current form the function simply returns the following string:</div><div><br></div><div>"<span style="color:rgb(0, 0, 102);font-family:monospace;font-size:13px;white-space:pre-wrap"><a href="<a href="http://wordpress.org/" target="_blank">http://wordpress.org/</a>">WordPress</a> and <a href="<a href="http://www.foxload.com/naturefox-wordpress-theme/" target="_blank">http://www.foxload.com/naturefox-wordpress-theme/</a>">NatureFox</a></span>"</div>
<div><div>
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div>
<br><br></div><div>----</div><div><br></div><div>Mikkel Breum</div><div><a href="http://wpKitchen.com" target="_blank">wpKitchen.com</a></div><div><br></div><div><a href="mailto:mikkel@wpkitchen.com" target="_blank">mikkel@wpkitchen.com</a></div>
<div>phone: <a href="tel:%2B49%20176%2023885016" value="+4917623885016" target="_blank">+49 176 23885016</a></div><div>skype: mikwolbre</div></span>
</div><div><div>
<br><div><div>On 04/11/2011, at 06.53, Merci Javier wrote:</div><br><blockquote type="cite"><br>Agreed. That's a fail. <br><br>Couldn't even decode it with one of tools given <a href="http://wordpress.org/support/topic/theme-decoding-thread?replies=43" target="_blank">http://wordpress.org/support/topic/theme-decoding-thread?replies=43</a> Just curious what was there.<br>
<br><br><br><div class="gmail_quote">On Thu, Nov 3, 2011 at 10:16 PM, Doug Stewart <span dir="ltr"><<a href="mailto:zamoose@gmail.com" target="_blank">zamoose@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
That base64 should be enough to FAIL immediately.<br>
<div><div></div><div><br>
On Fri, Nov 4, 2011 at 1:12 AM, Tyler Cunningham<br>
<<a href="mailto:seizedpropaganda@gmail.com" target="_blank">seizedpropaganda@gmail.com</a>> wrote:<br>
> Hey all,<br>
> Finally had some time to sit down and do some reviews so I was clearing out<br>
> some of the priority 1 tickets and came across something I wanted to run by<br>
> some of the more senior review members. Check out the following diff:<br>
> <a href="http://themes.trac.wordpress.org/changeset?old_path=/naturefox/1.0.5&new_path=/naturefox/1.0.6#file8" target="_blank">http://themes.trac.wordpress.org/changeset?old_path=/naturefox/1.0.5&new_path=/naturefox/1.0.6#file8</a><br>
> As soon as I saw the naturefox_credits function a red flag came up. Should I<br>
> ask the author what the purpose behind this is? Is this a no-no?<br>
> Thanks.<br>
> Regards,<br>
><br>
> Tyler Cunningham | Founder, COO - CyberChimps LLC<br>
> @tylerbcunning<br>
> <a href="http://gplus.to/tylercunningham" target="_blank">http://gplus.to/tylercunningham</a><br>
> <a href="http://linkedin.com/in/tylerbcunningham" target="_blank">http://linkedin.com/in/tylerbcunningham</a><br>
> <a href="mailto:tyler@cyberchimps.com" target="_blank">tyler@cyberchimps.com</a><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> theme-reviewers mailing list<br>
> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
><br>
><br>
<font color="#888888"><br>
<br>
<br>
--<br>
-Doug<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</font></blockquote></div><br>
_______________________________________________<br>theme-reviewers mailing list<br><a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br><a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</blockquote></div><br></div></div></div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>My Blog: <a href="http://pross.org.uk/" target="_blank">http://pross.org.uk/</a><br>Plugins : <a href="http://pross.org.uk/plugins/" target="_blank">http://pross.org.uk/plugins/</a><br>
Themes: <a href="http://wordpress.org/extend/themes/profile/pross" target="_blank">http://wordpress.org/extend/themes/profile/pross</a><br>