12 Comments


  1. I started the discussion on the forum mailing list because I found a copy of a repository theme that had base64 in it when I was helping on this topic: http://wordpress.org/support/topic/414732?replies=8 I did a quick Google search for the theme he was having a problem with and downloaded it. I soon realized that the bad site had only switched 2 letters in the theme name and added some spam links in functions.php

    This got me going through the decode sticky post and starting finding pirate themes from Woo, Studio Press, and Thesis which is not GPL.

    I agree that we shouldn’t be offering support for premium themes in the forums but we have an obligation to protect WordPress users. At the same time as Jane Wells stated, we should also not be promoting the use of pirated themes.

    Some of the pirate themes in question are not GPL and just as WordPress is firm on the GPL stance it should also respect other licenses by not helping users get around those licenses.

    My stance is that we should not be decoding themes for users but we have an obligation to warn them of possible harm and should be educating them on the ethics and dangers involved.

  2. _ck_

    You should NEVER allow the use of EVAL in any of your plugins or themes.

    Not only is it a huge security risk, it’s also a big performance hit.


  3. @_ck_ – No one has ever provided me a GOOD reason to use EVAL in a theme or plugin. Does a good reason exist?


  4. Most premium themes are already available on various websites as pirated versions, and they all are modified to include tons of hidden spam links in footer or header even (at the very least), but some I had a chance to examine (one of my clients got few of them and thought it would be good idea to use them) had many base64 and eval encoded content that (after decoding it) was adding iframes to other website and in one case sending current logged user info to an IP coded inside the malicious content.

    GPL is a freedom to distribute, but some things go too far away from simple distribution. Getting the premium theme easy way, pirated, to save few bucks will potentially open a door for all sorts of exploits that less experienced user will not be prepared to deal with, and he will be left with no support since he decided to save some money.

    I think that WP.org is scaning all uploaded themes for eval or base64 functions and don’t allow that to appear anywhere.


  5. @Jeffro

    I use plugins such as Exec-PHP on some of my sites so I can easily to execute PHP in the body of a post or page. Exec-PHP uses the Eval function. This plugin has been very useful in the past in order for me write PHP code directly in the post/page to ‘hook’ into 3rd party membership scripts and show content in the post depending on the user logged in status.

    I have also used a similar method to access api’s of web services direct from within posts/pages such as videos stored on a content server. This requires you to ‘talk’ to the video content server using PHP and their provided api’s to load in video play-lists. The only viable way I found of doing this (for me anyway) is to be able to execute PHP in the body of posts/pages using functions such as Eval (so I can load in post specific video content).

    As for Eval security/performance I am by no means an expert in the deeper workings of PHP but have sure found functions such as Eval useful. In the future I think a lot of the functionality of what I need to do could be parsed out to short code functions – but there may well always be a need to execute PHP code from within a post/page. I am not sure yet if there a situation where PHP in the body of a post/page could not be handled by using short codes (with attributes) instead.

    David


  6. “pirated themes” – that wording is not very useful and it’s not clear what this means. Sounds like FUD to me.

    Those sourcecodes under proprietary licenses that you can find somewhere are sort of a license-bomb for potential users. In the moment they mix it with wordpress code, they loose the right to use wordpress if it’s not GPL compatible.

    And most often these theme “creators” are not only careless about licensing but as well they don’t care about their users. So I would stay away from obfuscated themes at all cost in the first place. If you find a nice guy who can decompile it for you, well that’s nice. But users should be better educated about the problems these obfuscated themes bare in parallel.


  7. @Jeffro – My PHP Code widget uses eval.

    I can think of no sane reason to use eval in a theme.


  8. @hakre Perhaps ‘pirated themes’ should be called ‘hacked themes’ instead, if the theme is under GPL licence and has obfuscated code inserted.

  9. jotrys

    Yes, it is very strange that this thread is on the wordpress.org site offering help to decode themes. This is like saying that it is OK to use these spammy hacked themes.

    And also very strange that wordpress.org is not ranking #1 for “free wordpress themes”. Performed the search right now and it is ranked 3rd.

  10. jotrys

    Hi jeffro,

    Just posted my comment to your site and after posting noticed that I have 10 minutes to “Request Deletion” of my comment. Great feature. Had not seen this comment posting feature before. Guess it really comes in handy for those comments made in anger!


  11. Some of the themes in question are not GPL and fall in the same category as any other copyright infringed software “pirated”. WordPress is assisting users violate others copyrights by providing this service.


  12. I reckon that the issue is not whether it’s permitted to show some pieces of code in forums, as it is not a question of copyright. Copyright arises when a material portion of the work is used. Here we are discussing minute portions, which may fall under 17 USC 107, which is the fair use clause. Fair use is allowed use of a work, reproducing it or copying it, where the use is for criticism, education or review, which are the causes here.

    Moreover, if we examine the Israeli Copyright Act, then we understand that the exclusive rights in copyright are granted for the work or a substantial part thereof. Here we do not discuss substantial parts of the work.

    I think that this falls under self-study or educational purposes, and therefore fair.

    J.

Comments are closed.