← Back to context

Comment by CharlesW

2 years ago

So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

What am I missing?

52 comments

CharlesW

Reply
sureIy  2 years ago

> Sherlocked

The verb you're looking for is stole

Sherloking is when a Walmart is built next to a cornershop. Here the dude tore open the corner shop while claiming to be a victim.

  • CharlesW  2 years ago

    When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.

  • snapetom  2 years ago

    Or, more blatant and accurate, Sherlocking is when Apple literally named their search product "Sherlock" when a popular third party shareware app named "Watson" already existed.

photomatt  2 years ago

This release fixes a separate security vulnerability from the original update.

  • DanielLestrange  2 years ago

    Unfortunately you have no proof of that, because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues. The only thing done is removing a LOT of references, links, and instructions that would remind of WP Engine, as well as all compatibility with the POR features.

    Then, you added a few irrelevant changes that to the inexperienced eye look like security fixes https://plugins.trac.wordpress.org/changeset?old_path=%2Fadv...

    However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST

    Unless you show proof of a security fix - which you could have pushed to users WITHOUT renaming the plugin, WITHOUT removing original, non-security related code, and WITHOUT breaking compatibility with the PRO features - you have LIED and STOLEN code in the name of WP.ORG

    This will hopefully be recognized by WP Engine and if god wills, remove you from the equation once and for all legally speaking.

    • seba_dos1  2 years ago

      > However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST

      While this whole takeover thing is completely ridiculous, it's you who displays an "inexperienced eye" here. What do you think the $original_post variable (which was already there) is doing, huh?

      11 replies →

  • ankleturtle  2 years ago

    You are abusing the community for your own gain. Stop!

    • bigiain  2 years ago

      So far as I can tell, when Matt talks about "the WordPress Community", he means:

        - Matt
  - the people who didn't quit Automattic last week
  - _maybe_ the WP core developers who don't work at Automattic, so long as they keep their criticisms to themselves

      And the community of people who _use_ WordPress to run their websites, and the people who help them to do that, and the 3rd party plugin and theme developers who make WP work for so many different kinds of websites - can all go and get fucked.

  • gg-plz  2 years ago

    The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].

    Was that not true?

    [1] https://x.com/wp_acf/status/1843376378210857441

    [2] https://x.com/johnbillion/status/1843750679141331039

    [3] https://x.com/johnbillion/status/1842627564453454049