[theme-reviewers] Theme Scan Failing
Simon Prosser
pross at pross.org.uk
Sun Nov 28 17:25:54 UTC 2010
in the current version of the plugin, and all other versions:
if eval() base64_decode or uudecode() or str_rot13() are found you
will get critical error and the filename AND a snippet will be shown
The suspicious code check is a custom check on the wp uploader that
checks for fopen and file_get_contents i think ( as well as a few
others? )
The latest version of my plugin (trunk and .7) also have these checks
but are outputed as INFO
On 28 November 2010 17:14, Sayontan Sinha <sayontan at gmail.com> wrote:
> I should add that my submission went through too, though, because the checks
> have not been enforced on the submission process.
>
> On Sun, Nov 28, 2010 at 9:12 AM, Sayontan Sinha <sayontan at gmail.com> wrote:
>>
>> I faced the same problem, getting a "fail" result due to suspected
>> malicious code. I do recall that a few weeks back when I had tried out the
>> original online theme checker it had indicated the names of the files that
>> it believed to have the suspicious code, but online verification is no
>> longer available there, and the Theme Check plugin doesn't give this output
>> either.
>>
>> On Sun, Nov 28, 2010 at 5:54 AM, Philip M. Hofer (Frumph)
>> <philip at frumph.net> wrote:
>>>
>>> Then i'm pretty much at a loss unless its that unescape( in the json
>>> cookiejar which pretty much is on the return of an escaped string which is
>>> a protection
>>>
>>>
>>>
>>>
>>> ----- Original Message ----- From: "Simon Prosser" <pross at pross.org.uk>
>>> To: <theme-reviewers at lists.wordpress.org>
>>> Sent: Sunday, November 28, 2010 5:42 AM
>>> Subject: Re: [theme-reviewers] Theme Scan Failing
>>>
>>>
>>>> fopen isnt checked for, many themes use it for caching remember
>>>>
>>>> On 28 November 2010 13:39, Philip M. Hofer (Frumph) <philip at frumph.net>
>>>> wrote:
>>>>>
>>>>> Hrm.. probably the fopen in the paypal transaction IPN then. /shrug
>>>>> nothing
>>>>> I can do about that, at least it still pushed it through.
>>>>>
>>>>> - Phil
>>>>>
>>>>> ----- Original Message ----- From: "Jon Cave" <jon at lionsgoroar.co.uk>
>>>>> To: <theme-reviewers at lists.wordpress.org>
>>>>> Sent: Sunday, November 28, 2010 5:37 AM
>>>>> Subject: Re: [theme-reviewers] Theme Scan Failing
>>>>>
>>>>>
>>>>>> On Sun, Nov 28, 2010 at 1:18 PM, Philip M. Hofer (Frumph)
>>>>>> <philip at frumph.net> wrote:
>>>>>>>
>>>>>>> Soo Otto what exactly are you caring about here that it causes a
>>>>>>> fail?
>>>>>>
>>>>>> My guess (based on the last themecheck code I've seen) is that it's
>>>>>> the warning of suspicious code that's failing it. The other two are
>>>>>> just notifications but don't cause a fail.
>>>>>>
>>>>>>> What specific 'malicious' code? .. I dont use base64 anywhere, at
>>>>>>> all.
>>>>>>> Everything necessary is protected with evaluators and nonce's.
>>>>>>
>>>>>> I think that warning is for file_get_contents(__FILE__) or fopen,
>>>>>> again based on the last I saw of the theme checks.
>>>>>>
>>>>>>> Don't care about editor styles, at all; won't create one.
>>>>>>
>>>>>> It's a recommended guideline so the check is just highlighting it,
>>>>>> doubt it's a cause of failure.
>>>>>>
>>>>>>> I use includes & get_template_parts() in appropriate places, I won't
>>>>>>> use
>>>>>>> get_template_part because of the performance of checking both the
>>>>>>> child
>>>>>>> theme and root theme and it always needs to just load the parent
>>>>>>> themes
>>>>>>> functions and not overriden by child themes functions of the same
>>>>>>> name.
>>>>>>>
>>>>>>> Although included *in* parsed to output functions use
>>>>>>> get_template_part()
>>>>>>> as
>>>>>>> necessary
>>>>>>
>>>>>> As above doubt it's cause of failure, just picking up of possible
>>>>>> violation of required guideline.
>>>>>>
>>>>>> Just my thoughts, will need Otto to confirm or deny.
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> My Blog: http://www.pross.org.uk/
>>>> Plugins : http://www.pross.org.uk/plugins/
>>>> Themes: http://wordpress.org/extend/themes/profile/pross
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>>
>> --
>> Sayontan Sinha
>> http://mynethome.net | http://mynethome.net/blog
>> --
>> Beating Australia in Cricket is like killing a celebrity. The death gets
>> more coverage than the crime.
>>
>
>
>
> --
> Sayontan Sinha
> http://mynethome.net | http://mynethome.net/blog
> --
> Beating Australia in Cricket is like killing a celebrity. The death gets
> more coverage than the crime.
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
--
My Blog: http://www.pross.org.uk/
Plugins : http://www.pross.org.uk/plugins/
Themes: http://wordpress.org/extend/themes/profile/pross
More information about the theme-reviewers
mailing list