[theme-reviewers] Theme submission fails on WARNING

Otto otto at ottodestruct.com
Sat Jun 25 18:33:03 UTC 2011 

On Sat, Jun 25, 2011 at 1:24 PM, Darren Slatten <darrenslatten at gmail.com> wrote:
> So would it make sense to establish a best practice (or requirement) where
> themes should not (or must not) create files at all? In other words, themes
> would need to ship with those files already in place, even if only to
> function as placeholders to be overwritten.

Overwriting files in a theme is equally dangerous, not from the
perspective of security, but from the perspective of user-experience.

Remember, upgrading a theme erases any changes you've made to it's
directory. Therefore the files would get reset/erased on an upgrade.

> Regarding the 666 permissions and Editor, why not have WP do a simple check
> for unsafe permissions and alert/remind the user to change them back to a
> more secure setting?
>
> I'm just thinking out loud here.

Generally speaking, "security" is about more than individual settings
or permissions or even file ownership. It's all relative to the
situation.

- On my local test environment, for example, having all the theme
files writable is no big deal. Nobody but me has access to the site.
- On my production blogs, they're running in setuid mode, so the files
are writable even with 644 permissions.
- On a dedicated server, having the files 666 is not unsafe because
nobody else has access to the box in the first place.

Warning the user about possible unsafe things causes annoyance when
your warning is incorrect or unnecessary. Best to simply state error
cases, like it does now. It's not testing for permissions, it's
checking to see if it has the ability to write to the file. If it
doesn't, then it becomes a view-only sort of interface.

Security of the server and it's configuration is a bit out of scope
for the core to be doing, is basically what I'm trying to say. Too
many different servers and possible configurations to handle.
WordPress should only focus on being secure in and of itself. Of
course, you can make any site insecure with misconfiguration, but
should WP check for all of them?

-Otto

More information about the theme-reviewers mailing list