Reject due to usage of TimThumb??

Hey guys,

Recently my theme was rejected by [reviewers name removed] with [IMO] the most ridiculous reason: “Unfortunately we’re not approving themes that are using timthumb due to some security issues.”

I have couple of questions:

1) Since when usage of timthumb is restricted; and where is official notification (like one that was when twitter API changed)?

2) What are those “security issues”? As far as I know recent version of TimThumb is 100% safe.

3) Please confirm/refute (officially) that ALL themes with timthumb will be rejected.

Official reply from one of reviewers is very much appreciated. Thanks!

Hi,

you are not alone. I was also rejected, but it was just a suggestion to replace TimThumb with wp functions for images. Every time I submit new file we are rejected for things that were ok 14 days ago. It would be nice if we know what we can use and what not.

@gljivec : it seems to me that, if TF make rules more clear, specific and detailed and make them publically displayed , they will have less discretionary space for themes rejection open more room to review and rejection criticism.
I used to look at the some of our rejection replies, and ask myself “Whaaaaat ?? Whyyyyyy ? What else do you neeeeeed ? Aaaaargh !”, when rejection reasons were, like, “if you don’t know, we won’t tell you ..”
I know, I know ….very frustrating.
Our latest, and not yet resolved rejection was explained with something like “too many similar items in category” . So frustrating … Especially, when after months of developing, changing, improving etc. you have no clue where to go ...
But, at least (not very comforting, though), the rejection text was not that generic – “doesn’t meet basic requirements …” etc….

timthumb was fixed months ago, just because it had a vulnerability and it became viral it doesn’t mean it’s bad. C’mon, it has its purpose. This is absurd!

So is there an official nice table with standards for wordpress and cms themes? Only those buggy plugins exist?

To be honest I don’t think the reason giving by the reviewer is a valid reason. Especially, since timthumb has been patched now, but the general consensus is there are far better alternatives out there which greatly outweight using timthumb.

Remember timthumb has known problems with hosting companies and permissions. Add to that the fact it doesn’t actually resize any pictures so the end user could be using images such as 5000×5000 pixels and be wondering why their site takes so long to load. This is a big problem.

I’m not quite sure what the de facto is nowadays, is it to use wordpress built in thumbnail function? Or even sym4ils aqua resizer?

I don’t know, but even nettuts has come up with a reasonable alternative:

And I guess the only real advantage is that timthumb works on all existing images. If you are using an resizer script you may have to reupload all the other images in the wp-upload folder for it to be resized correctly.

But I think this is a small issue. All in all, I’m not sure why people still use timthumb these days.

Good luck.

Dream-Theme, as per forum rules, please do not call staff or reviewers on the forums!

I’ve edited your post.

Enabled said
Dream-Theme, as per forum rules, please do not call staff or reviewers on the forums! I’ve edited your post.

Thanks and sorry – didn’t know that. And didn’t mean to do any bad to anyone.

kungfu-themes said
To be honest I don’t think the reason giving by the reviewer is a valid reason. Especially, since timthumb has been patched now, but the general consensus is there are far better alternatives out there which greatly outweight using timthumb.

Remember timthumb has known problems with hosting companies and permissions. Add to that the fact it doesn’t actually resize any pictures so the end user could be using images such as 5000×5000 pixels and be wondering why their site takes so long to load. This is a big problem.

I’m not quite sure what the de facto is nowadays, is it to use wordpress built in thumbnail function? Or even sym4ils aqua resizer?

I don’t know, but even nettuts has come up with a reasonable alternative:

http://net.tutsplus.com/tutorials/php/image-resizing-made-easy-with-php/

And I guess the only real advantage is that timthumb works on all existing images. If you are using an resizer script you may have to reupload all the other images in the wp-upload folder for it to be resized correctly.

But I think this is a small issue. All in all, I’m not sure why people still use timthumb these days.

Good luck.

Hey,

I’m believe you are wrong: TimThumb is the best image resizing software available for free on web (don’t forget that even guys from Woo are still using it – they know stuff about security!). And script form nettuts is not safer that TimThumb, less functional, etc. If you don’t believe me, please take a closer look at newest version of TT (especially how it handles security, image caching and optimizes performance) before writing that I am the one who is wrong Thanks!

Moreover in this thread I do not want (and will not) discus which script is better. I’m only trying get the official response: are we, all authors, prohibited to use TimThumb? And if yes – why; which exactly are those security issues mentioned by one of reviewers?

Also I believe that I’m not the only author who would like to clerify this question.

Dream-Theme said

kungfu-themes said
To be honest I don’t think the reason giving by the reviewer is a valid reason. Especially, since timthumb has been patched now, but the general consensus is there are far better alternatives out there which greatly outweight using timthumb.

Remember timthumb has known problems with hosting companies and permissions. Add to that the fact it doesn’t actually resize any pictures so the end user could be using images such as 5000×5000 pixels and be wondering why their site takes so long to load. This is a big problem.

I’m not quite sure what the de facto is nowadays, is it to use wordpress built in thumbnail function? Or even sym4ils aqua resizer?

I don’t know, but even nettuts has come up with a reasonable alternative:

http://net.tutsplus.com/tutorials/php/image-resizing-made-easy-with-php/

And I guess the only real advantage is that timthumb works on all existing images. If you are using an resizer script you may have to reupload all the other images in the wp-upload folder for it to be resized correctly.

But I think this is a small issue. All in all, I’m not sure why people still use timthumb these days.

Good luck.

Hey,

I’m believe you are wrong: TimThumb is the best image resizing software available for free on web (don’t forget that even guys from Woo are still using it – they know stuff about security!). And script form nettuts is not safer that TimThumb, less functional, etc. If you don’t believe me, please take a closer look at newest version of TT (especially how it handles security, image caching and optimizes performance) before writing that I am the one who is wrong Thanks!

Moreover in this thread I do not want (and will not) discus which script is better. I’m only trying get the official response: are we, all authors, prohibited to use TimThumb? And if yes – why; which exactly are those security issues mentioned by one of reviewers?

Also I believe that I’m not the only author who would like to clerify this question.

If they have rejected your theme for using timthumb then definitely this is a new change in reviewing policy and will apply to every author just like so many other policy changes happening recently e.g. now they require authors to use comment_form instead of writing custom comments form markup.

I understand your frustration and I believe changes like this in any kind of rules concerning reviewing should be announced either on forums or in the dashboard because without prior announce we authors loose a lot of time.