[wp-hackers] WordPress plugin inspections

Wed Feb 19 20:55:25 UTC 2014

Hi Chris, Chip,

We do evaluate the code. An inspection usually takes about an hour, and 
we review the code for the things listed.

I can appreciate the point you're making here, but we do need that 
process to result in some conclusion that we can use to decide what to 
do. And as far as we're concerned, plugins which are littered with XSS 
and don't prepare their queries are, in fact, unsafe to use.

That said, we have tried our best to make it clear what that means. The 
red box links to the explanation of the process, which states:
> This plugin should not be used unless very careful consideration is 
> given to the vulnerabilities it probably contains and ways to mitigate 
> them.
Which, I think, is generally good advice.

Harry

On 19/02/2014 20:44, Chip Bennett wrote:
> For me, the incongruity happens when a "light touch review" leads to an
> "Unsafe To Use" conclusion. I don't see how you can justify such a
> conclusion without actually evaluating the code.
>
>
> On Wed, Feb 19, 2014 at 3:40 PM, Harry Metcalfe <harry at dxw.com> wrote:
>
>> Hi Josh,
>>
>> Thanks for the heads-up. I've had a quick look at the github issue - I'll
>> reply to that feedback there.
>>
>> Regarding a private report - this isn't a vulnerability report. We do
>> those too (see the Advisories section) and we have a disclosure policy for
>> those which you can see here (https://security.dxw.com/disclosure/).
>>
>> Inspections are a very light touch thing, and we don't think they go into
>> enough detail to be able to make categorical claims about vulnerability.
>> The idea behind an inspection is to give a general sense of the sorts of
>> issues which might exist. I'm about to reply to Chris's post with more
>> explanation on that point.
>>
>> Harry
>>
>>
>>
>> On 19/02/2014 19:45, Josh Pollock wrote:
>>
>>> Harry-
>>>
>>> I am the community manager for Pods we were made aware of your evaluation
>>> by a user who reported it in our GitHub issue tracker. Our leader
>>> developer, Scott K. Clark, has responded to your claims, which we do not
>>> consider to be fair, here:
>>>
>>> https://github.com/pods-framework/pods/issues/2043#issuecomment-35538379
>>>
>>> I would encourage you to contact the developers of plugins before
>>> releasing
>>> vulnerability reports. This sort of vague report doesn't help us improve
>>> our plugin, something we are constantly doing based on input from users.
>>> It
>>> only serves to potentially confuse users.
>>>
>>> Take care,
>>> Josh Pollock
>>>
>>>
>>> On Wed, Feb 19, 2014 at 1:43 PM, Harry Metcalfe <harry at dxw.com> wrote:
>>>
>>>   Hello list,
>>>> We write and publish light-touch inspections of WordPress plugins that we
>>>> do for our clients. They are just a guide - we conduct some basic checks,
>>>> not a thorough review.
>>>>
>>>> Would plugins which fail this inspection be of general interest to the
>>>> list and therefore worth posting? Is the list also interested in
>>>> vulnerability advisories, or do people tend to get those elsewhere?
>>>>
>>>> Here's an example report:
>>>>
>>>> https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>>>>
>>>> Grateful for a steer...
>>>>
>>>> Harry
>>>>
>>>>
>>>> --
>>>> Harry Metcalfe
>>>> 07790 559 876
>>>> @harrym
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>>>   _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers