[wp-meta] [Making WordPress.org] #5464: Plugin Directory: Prevent SVN uploads of animated banners and icons

Making WordPress.org noreply at wordpress.org
Fri Oct 23 06:51:49 UTC 2020


#5464: Plugin Directory: Prevent SVN uploads of animated banners and icons
------------------------------+---------------------
 Reporter:  Ipstenu           |       Owner:  (none)
     Type:  defect            |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |
------------------------------+---------------------

Comment (by dd32):

 So, I went on a bit of an implementation attempt today here..

 I went with attempting to return animated assets like so:
 {{{
 https://s.w.org/plugins/remove-animation/$plugin/$animated_asset
 }}}

 That works great for animated Gifs & PNGs (even when saved as .jpg), but
 SVGs are quite a bit harder. For standard images, I'm just running them
 through `imagecreatefromstring()` and `imagepng()` to output the first
 frame.

 I've found that appending the following to SVGs tends to work well as
 well:
 {{{
 <script> SVGRoot.pauseAnimations(); </script>
 <style>* { animation: none !important; }</style>
 }}}

 The problem I ran into was that it increases the potential for Javascript
 execution on a WordPress.org domain, something that
 plugins.svn.wordpress.org & ps.w.org currently protects against, and so
 serving those SVGs via s.w.org is a bit too risky for me.

 So.. I think the correct way to handle this is just to rip the bandaid off
 and block them.

 I don't think blocking the SVN commit itself is worth it, just block it at
 the plugin directory import step.

 Blocking images based on multi-frame is easy enough it seems. SVGs are
 more difficult, but we can probably just block on the file containing
 `<script`, `animate`, or `animation`. I'm sure there's a few ways around
 that though, but if someone can work around that, they deserve a ban
 hammer :)

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/5464#comment:8>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org


More information about the wp-meta mailing list