Who could foresee that a plugin would get pulled from the WordPress plugin directory for a security issue when the developer has left in commented out security checks?

@PluginVulnerabilities · 1 year ago

Who could foresee that a plugin would get pulled from the WordPress plugin directory for a security issue when the developer has left in commented out security checks?

🅿🅸🆇🅴🅻 · edit-2 1 year ago

The bigger sin is the use of “Yoda style” order of “if” statements with the value before the variable. I don’t get the “protecting from myself” thinking, it’s atrocious to read. He even went with the “===”’ operator, hard to miss two equal signs for it to become an assignment, so why bother?

@mad_ratzinger · 1 year ago

Context please.

@PluginVulnerabilities · 1 year ago

This is the plugin: https://wordpress.org/plugins/sendpress/ These are security changes the developer made today, which presumably is in response to the plugin being closed for a security issue: https://plugins.trac.wordpress.org/changeset/2990357/ Here is the file from the screenshot: https://plugins.trac.wordpress.org/browser/sendpress/trunk/classes/views/class-sendpress-view-pro.php?rev=2990358 The code in that file is still missing needed security even after the security change made today.

@mad_ratzinger · 1 year ago

Thank you for the info