Bundled Flash

[Adam Williamson]

On Fri, 2013-08-16 at 01:42 -0700, Adam Williamson wrote:
> On Fri, 2013-08-16 at 15:41 +0800, Christopher Meng wrote:
> > WordPress?
> > 
> > Not easy.
> 
> Two of the ones in wordpress are both in upload libraries - plupload and
> swfupload. Both are present in the source tarball, it doesn't look like
> they're built during source compile.
> 
> It looks like we could lift swfupload right out with consequences that
> at least aren't fatal:
> 
> http://make.wordpress.org/core/2013/06/21/secure-swfupload/
> 
> "WordPress does not use SWFUpload, but we continue to include it in
> WordPress core for plugins that have yet to be updated to use Plupload,
> our upload library of choice."
> 
> I don't know how many plugins that affects, but at least not core
> WordPress. The bad news is that, as that text mentions, Plupload is
> Wordpress's "library of choice", and it's the other thing with a .swf
> file. I don't have Flash installed here so I'm not sure how vital it is
> to the functioning of the uploader, but it looks like it's just an
> alternative:
> 
> http://www.plupload.com/
> 
> "Allows you to upload files using HTML5, Gears, Silverlight, Flash,
> BrowserPlus or normal forms"
> 
> Noting the mention of Silverlight, the js/plupload directory contains
> also contains plupload.silverlight.xap, which I'll wager is a
> Silverlight blob.
> 
> I'd guess that the consequence of removing both .swf and .xap wouldn't
> be deadly and the regular old 'boring' HTML uploaders would continue to
> work, and recommend that we do that, and kill swfupload. I'm a sort of
> stealth co-maintainer of wordpress using my provenpackager privileges,
> but I don't use the upload functionality at all, so I'm reluctant to do
> this - Remi, can you look at it at all? Thanks.
> 
> Wordpress 3.6 introduces the 'mediaelement' include, and that one has
> yet another .swf and .xap:
> wp-includes/js/mediaelement/flashmediaelement.swf ,
> wp-includes/js/mediaelement/silverlightmediaelement.xap. We'll have to
> deal with those too when bumping to 3.6.
> 
> http://mediaelementjs.com/ says "Instead of offering an HTML5 player to
> modern browsers and a totally separate Flash player to older browsers,
> MediaElement.js upgrades them with custom Flash and Silverlight plugins
> that mimic the HTML5 MediaElement API.", and "HTML5 audio and video
> players in pure HTML and CSS.", so I'm hopeful we can just kill the
> blobs and not completely break stuff.
> 
> Oh, for the love of God, I just found one more:
> 
> wp-includes/js/tinymce/plugins/media/moxieplayer.swf
> 
> https://github.com/moxiecode/moxieplayer
> 
> somebody get me my gun. The inclusion of this crap in Wordpress is
> working out precisely as well as you'd expect:
> 
> http://seclists.org/fulldisclosure/2013/Jun/256
> 
> Basically I think all of these are fallbacks of one kind or another, and
> we could just yank them without hurting much. But further checking is
> required.

Looked into this a bit further this afternoon. Both swfupload and
plupload are open source projects, but Wordpress ships compiled binaries
in its 'source tarball', there is no build system in there for them at
all. Wordpress posts the sources for them on its site, though:
http://wordpress.org/download/source/

The Debian package includes the sources for them in its source tarball
in a 'missing sources' directory - you can grab
http://ftp.de.debian.org/debian/pool/main/w/wordpress/wordpress_3.5.2
+dfsg-1.debian.tar.xz and see the 'missing-sources' directory with a
README explaining the situation. The package documentation indicates
that they possibly actually rebuild the .swfs from this source during
package build, but I'm not expert enough at the Debian package format to
be able to see where and how exactly this is done. But we should
probably harmonize with them on this.

Not sure if Debian's done anything about the Silverlight bits, yet.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net