[theme-reviewers] Emergency Call
Otto
otto at ottodestruct.com
Tue Sep 7 17:58:31 UTC 2010
The uploader already scans for several things like that and rejects
themes with them in there. No, I'm not going to say exactly what it
scans for, because the bottom line is that there's really no way to be
100%. I could write ways around them all without really trying too
hard, and I've seen all those ways being used in malware before. The
best we can really do is put up a minor blocker for newbies at this
sort of thing. Like matt is fond of saying, it's a club solution. I'm
not sure where to begin at coming up with a lojack solution.
(http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions)
I finally concluded that scanning for "fopen" wouldn't be particularly
useful, IMO. There's legit uses for it, although there's probably
better ways to do whatever is being done there.
Still, I'd be wary of any theme that used it and would suggest asking
for help on scanning through such a theme.
Better ideas of how to do this sort of thing are welcome.
-Otto
On Tue, Sep 7, 2010 at 11:47 AM, Kenneth Newman <ken.adcstudio at gmail.com> wrote:
> On the question of "fopen", "base64_decode" and other troublesome functions.
>
> WordPress.org can say openly, something like:
>
> "Certain functions and patterns, although rarely, but occasionally useful
> can not be used in Themes submitted to Extend. The reason is that it allows
> us to scan for malware and keep our repository safer. You can still use
> these functions if you must, but then we can not host your theme."
>
> Then Otto and the guys could write good filters to disallow dangerous
> scripts without worrying about legitimate code.
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
More information about the theme-reviewers
mailing list