The trojan emoji

Photo of author
Written By Brian Krogsgard

29 thoughts on “The trojan emoji”

  1. Very interesting and informative.

    There was an easy fix for this all along: strict mode on MySQL. However, it would’ve broken “everything.””

    Obvious question: could WP enable strict mode on all new installs?

  2. What amazes me is that MySQL has been my hair-tearing problem (rant here) for years, and I had no idea it actually had a “suck less” switch.

  3. I once seriously lobbied core devs to at least include support for postgresql, if not full db wrappers for top rdbs.

    But, the reply was deafening silence and looks that suggested I had just sprayed every lead developer with concentrated herpes.

  4. So does that means any sites that haven’t upgraded to 4.2 or higher are still exposed? Which wouldn’t that mean all the sites that just have security and minor updates set to auto but haven’t upgraded to 4.2 yet be unprotected? Or have they also released this as a separate security update after 4.2.

    • Even if they fixed the issue if you didn’t upgrade your local version (and it’s not set to Auto), it’s still there.

  5. Thank you very much for this article. However, it’s an insight in absolute ridiculousness. A security fix is named emoji support because “noone had any idea what it did because it was 1,000 lines of the database abstraction layer to just remove invalid characters.”

    At the end: we’re facing a mindset where “features” are labeled intentionally misleading in WP – so obviously you cannot trust any more what happens in WordPress core code. This is btw. the opposite of Open Source.

    I mean: noone ever wanted emojis! The “Disable Emojis” plugin has more downloads than all emoji plugins on wp.org in summary. Nobody understood why this was added to core. Even in code comments you find ironic dissociations regarding the “very important” feature of emojis. And now we hear: it’s about security! – But wait – what if even this is not true … ?

    When things have wrong labels you cannot orientate any more. Such a mindset is the end of trust.

    • I don’t think this is a fair characterization. Emoji/utf8mb4 support was a good feature on its own, and it wasn’t included just because it was good cover. It was a convenient parallel to preventing a security vulnerability from being exposed.

      The security team is forced to work in a less open environment than the rest of core development. It’s not to be closed source, but to protect 23% of the web while a vulnerability doesn’t have a proper fix in place — it’s a safety measure.

      And just because more people disable it than previously used plugins to support it doesn’t make it an unworthy core feature. There are plenty of other considerations to make.

    • I have to agree with Frank here. The fact that OPEN SOURCE stands for freedom and full disclosure and this was not made public 2 years ago or even currently when adding the EMOJI Support does not really instill trust within the community and it violates the founding principles and the philosophy that Richard Stallman and many others worked so hard to createthe GNU general public license.

      I am sorry but looking at the facts here, so far we have Google Open Web Fonts super imposed on us which tracks your data and now the EMOJI thing, once has to really wonder if WordPress hasn’t sold out to the establishment because it sure is looking that way and from a security stand point, I can’t say that makes me feel to confident considering the scope of the shit going on with the Government blatantly violating peoples privacy and taking what they want whenever they want. This is a very serious concern!!

    • Also too, if anyone takes the time to do a (manual) fresh install of wordpress 4.2.2 on a live testing environment you can see that “none” of the tables in PHPMyAdmin are set to uft8mb4_unicode_ci! WHY IS THAT?

      If this was such a pending issue then why prey tell did it take (2 years) to fix or come up with a solution? That right there is total B.S because no one takes 2 years to solve a critical security crisis. That all by itself is completely improbable as well as it being illogical to accept that as a suitable answer

      • > That right there is total B.S because no one takes 2 years to solve a critical security crisis

        I can’t even begin to tell you how patently wrong you are. Some critical security bugs, take not only years, but in some cases decades to solve. Last November for example, Microsoft fixed a 19 years and running critical remote code execution security issue, that was present in every version of Windows since 95 (it also fixed another one that was also present since 95 but recently discovered).

        • I am not wrong because anyone that places security (user security) at utmost priority does not take 2 years or in Microsofts intstance 19 years to fix it.

          Why did it take Micro$oft 19 years to fix their security issues? Because they are more interested in their bottom line and live by the adage that we will (sell it now) and worry about fixing it later. In regards to how little Microsoft give a flying F##ck about their users, Windows VISTA is the perfect example. Not only did they promise everything under the sun with that O.S but you also needed to spend thousands of dollars to get a computer with hardware robust enough to run it and to add insult to injury, it was a complete piece of shit and it remains that way to current date! Did they ever make good on their promise? The answer is NO they did not.

          Enter Windows 7.. not only is this just a modified VISTA Kernel with a slightly different GUI but it is what VISTA should have been from the beginning!! Did Microsoft give Windows Vista a FREE upgrade to Windows 7?

          The answer is NO they did not!!

          Does this sound like a company that gives a fuck about your security? NO IT DOES NOT!!

          It is amazing what you can accomplish when you actually give a damn. To use Microsoft as a reference to follow on security or how to gauge standards is a horrible Idea because they are a perfect example of what is wrong with present day society and the mindset that goes along with it!!!

          • Please be civil. He was giving you a counter example, not putting Microsoft on a pedestal.

          • I am not being uncivil towards the gentleman that left the comment I am emphasizing the point of how flawed the ideology of individuals and those in business is these days.

            I hope that clears things up.

        • Cam, it’s unfair to claim “no one takes 2 years to solve a critical security crisis,” and to “imply” the WordPress core developers don’t give a damn about security. Each problem presents it’s own difficulties, one of which is the fact WordPress is used in many different server environments, even on Macs and Windows. Each problem also takes a different amount of time to resolve. Not all problems are black and white, there are often many variables to consider, which can take sometimes years to unravel and solve. Unless you were involved in the process to fix this security issue, it’s not fair for you, or anyone to judge from a distance. On another note, if you, or someone else, had offered a suitable fix sooner than 2 years, and that solution had been rejected by the security team, then you’d have a reason to complain, otherwise you’re just being unfair to the entire team, rather than being thankful they cared enough to fix the problem, and despite it taking 2 years of careful planning and research.

          The security team deserves a big “THANK YOU!” THANK YOU! THANK YOU! THANK YOU!

          • I am not trying to discredit those involved in the core development team. However, OPEN SOURCE represents FREEDOM, full transparency and community. By not saying anything for 2 years they violated the trust of the community and that makes them no different from corporate America.

            Considering that the whole point of Open Source is community involvement and community awareness and doing the exact opposite of what the evil corporate agenda does, what do we have left when the founding principles are ignored by a select few?

            That is not Open Source and That is the entire problem here.

  6. Interestingly enough, there was a brief period during the 4.1 development cycle where STRICT_ALL_TABLES was turned on: https://core.trac.wordpress.org/ticket/21212#comment:32

    Got a bunch of failing unit tests when we were testing our plugins against (at the time WP 4.1 alpha) and it was due to that. I suspect they pushed it in hoping it could be an “easy fix” but realized it would potentially “break” plugins/themes.

    Personally, I think it’d still be a good idea to get STRICT_ALL_TABLES turned on but just give plenty of leeway for plugin and theme devs to get their code ready.

    • It’s coming at some point. Core needs to get all of the issues with turning strict mode on breaking core stuff first. There’s a couple people working on that atm

  7. I’m interested to know more about securing a website even though I’ve not started with a steady rolling my business online !

Comments are closed.

A2 Hosting
WordPress.com