Most active commenters

    ←back to thread

    Secure Custom Fields by WordPress.org

    (wordpress.org)
    172 points ValentineC | 14 comments | 12 Oct 24 18:38 UTC | HN request time: 0.43s | source | bottom
    1. discostrings ◴[12 Oct 24 19:09 UTC] No.41821577[source]
    Blog post on wordpress.org concerning this: https://wordpress.org/news/2024/10/secure-custom-fields/
    replies(5): >>41821660 #>>41821693 #>>41821701 #>>41823726 #>>41825054 #
    2. righthand ◴[12 Oct 24 19:19 UTC] No.41821660[source]
    > There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.

    Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.

    replies(1): >>41822389 #
    3. 0cf8612b2e1e ◴[12 Oct 24 19:22 UTC] No.41821693[source]

      This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
    Yeah, that is not how trust works.
    4. smarx007 ◴[12 Oct 24 19:23 UTC] No.41821701[source]
    > This update is as minimal as possible to fix the security issue.

    What is the actual issue? CVE number?

    replies(4): >>41821713 #>>41821766 #>>41821803 #>>41821830 #
    5. kristofferR ◴[12 Oct 24 19:25 UTC] No.41821713[source]
    I think they mean that it's developed by WP Engine and that's the security issue.
    6. Sebguer ◴[12 Oct 24 19:33 UTC] No.41821766[source]
    Details haven't been made public yet: https://www.cve.org/CVERecord?id=CVE-2024-9529

    Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org

    replies(1): >>41824939 #
    7. mananaysiempre ◴[12 Oct 24 19:37 UTC] No.41821803[source]
    I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.

    ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?

    [1] Discussed at the time: https://news.ycombinator.com/item?id=41752289

    [2] https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

    [3] https://news.ycombinator.com/item?id=41821829

    8. jorams ◴[12 Oct 24 19:41 UTC] No.41821830[source]
    The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].

    I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.

    Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:

        filter_input(INPUT_POST, 'name');
    [1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
    9. None4U ◴[12 Oct 24 20:43 UTC] No.41822389[source]
    Which, by the way, previously ended with "We expect others will defect as well." before the post was edited
    replies(1): >>41822785 #
    10. righthand ◴[12 Oct 24 21:26 UTC] No.41822785{3}[source]
    Not surprised. What scum.
    11. hadad ◴[12 Oct 24 23:34 UTC] No.41823726[source]
    The support notice got deleted[1]. The plugin developer got banned. Blocking access from certain ip. Shady or problematic hosting term[2]. I think hosting your code on wordpress.org is considered dangerous.

    1. https://wordpress.org/support/topic/future-updates-for-acf-a...

    2. https://github.com/wordpress/wporg-plugin-guidelines/blob/tr...

    12. FireBeyond ◴[13 Oct 24 03:24 UTC] No.41824939{3}[source]
    I wonder how many Automattic resources Matt threw at ACF to find a vulnerability to catalyze this situation?
    replies(1): >>41825055 #
    13. ◴[13 Oct 24 03:58 UTC] No.41825054[source]
    14. ImPostingOnHN ◴[13 Oct 24 03:59 UTC] No.41825055{4}[source]
    Same, I was imagining Gavin Belsom and his warehouse full of Hooli employees scouring over the Pied Piper demo.

    Similarly, this is all to resolve the personal grudge of an exceedingly rich dude who wants even more money.