Author Archives: Ian Dunn

Ian Dunn 4:50 pm on April 27, 2021
Tags: ,   

X-post: Automatically Catching Bugs in Plugins

X-post from +make.wordpress.org/meta: Automatically Catching Bugs in Plugins

Ian Dunn 7:57 pm on April 3, 2020
Tags: ,   

X-post: Showing online workshops in the Events Widget

X-comment from +make.wordpress.org/community: Comment on Showing online workshops in the Events Widget

Ian Dunn 11:01 pm on April 2, 2020
Tags: Events & News Widget, meetups, ,   

Showing Online WordCamps in the Events Widget

TLDR: Should online WordCamps be added to the Events widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user.? If so, who should they be shown to?

Background

Many WordCamps are transitioning from in-person events to online events, due to COVID-19.

At the moment, those events don’t show up in the News & Events widget on the dashboard, because they don’t have a physical location. The widget was originally designed to show the user local events, because cultivating local, in-person bonds is an essential element of our community’s success.

Online events aren’t being intentionally kept out of the widget; it’s just an unforeseen side-effect of the temporary shift to online events. Online meetupMeetup All local/regional gatherings that are officially a part of the WordPress world but are not WordCamps are organized through https://www.meetup.com/. A meetup is typically a chance for local WordPress users to get together and share new ideas and seek help from one another. Searching for ‘WordPress’ on meetup.com will help you find options in your area. events still appear in the widget, because in the absence of an explicit event location, the Meetup.com APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. falls back to the location of the group.

Questions

  1. Should online WordCamps show up in the widget?
  2. If so, who should they be shown to? Here are a few potential criteria:
    • The same people who would have seen the in-person event. i.e., anyone within a 400km radius of the venue.
    • Everyone within the same country. Would this apply equally to countries that host a small number of camps, and those that host a large number? Would it apply equally to countries that often see people from neighboring countries traveling to attend the event, and to countries where that is not common?
    • Everyone within an increased radius, e.g., 600km. If so, what would be the best distance?
    • Everyone within the same timezone, plus-or-minus a few hours.
    • Everyone who speaks the same language — or localeLocale A locale is a combination of language and regional dialect. Usually locales correspond to countries, as is the case with Portuguese (Portugal) and Portuguese (Brazil). Other examples of locales include Canadian English and U.S. English.? — as the host city.
    • A combination of the above? Some other criteria entirely?
  3. Should the timezone and/or language of the event be displayed in the dashboard?

+make.wordpress.org/community/
+make.wordpress.org/meta/

#events-news-widget, #meetups, #online-events, #wordcamps

Ian Dunn 4:03 pm on August 16, 2019
Tags: ,   

Follow-up Discussion on Major Auto Updates

Last week’s proposal to automatically upgrade old sites to 4.7 has garnered a lot of feedback, which has been very helpful in refining the idea and getting a sense of how different parts of the community feel about it.

To follow up on that, I’d like to have a meeting in #core on Tuesday, August 20, 2019, 2100 UTC to continue the discussion. No decisions will be made during the meeting, but I hope that we can have a productive conversation and move closer to some kind of resolution.

To join the meeting, you’ll need an account on the Making WordPress Slack. If you’re not able to attend, but would like to give feedback, please leave a comment on the proposal.

#auto-update, #security

Ian Dunn 7:45 pm on August 7, 2019
Tags: ,   

Proposal: Auto-Update Old Versions to 4.7

Foreword: To help anchor some of the main concerns from the comments, I’d like to highlight a few important points in this post. – Josepha

  • This post contains a careful roll out plan. This would not be be a sudden and un-communicated change.
  • There will be options for site admins to opt-out of the update with clear instructions starting 30 days prior.
  • This would apply to small segments of each version sequentially, not all at once. This helps us check the updates in batches and limit the risk of breaking sites irrevocably.

Based on the ideas in last week’s discussion, I’d like to propose a new policy regarding backporting security fixes to old versions, and a plan to implement it.

Policy

Note: This has been edited since it was published, to incorporate feedback from the comments.

Apply security updates to the latest 6 versions, and slowly auto-update insecure sites to the oldest secure version.

That would mean that the currently secured versions would be 4.7 - 5.2, and the 3.7 - 4.6 branches would eventually be auto-updated to 4.7.

In practice, that’d provide roughly 2 years of security fixes for each branchbranch A directory in Subversion. WordPress uses branches to store the latest development code for each major release (3.9, 4.0, etc.). Branches are then updated with code for any minor releases of that branch. Sometimes, a major version of WordPress and its minor versions are collectively referred to as a "branch", such as "the 4.0 branch"., and roughly 10% of current sites would eventually be auto-updated to 4.7. Security fixes would not be guaranteed for any specific length of time, though. Once 5.3 is released, 4.8 would become the oldest secured version.

A set number of versions creates a consistent limit on the amount of work required to backportbackport A port is when code from one branch (or trunk) is merged into another branch or trunk. Some changes in WordPress point releases are the result of backporting code from trunk to the release branch. security fixes. Auto-updating insecure versions allows us to continue protecting older sites, rather than seeing them fall into the hands of spammers and criminals.

Implementation Plan

Auto-updating major versions is already a relatively safe process, because of WordPress’ commitment to backwards-compatibility, and the robust safety checks and rollback feature included in the auto-update system. However, this should still be done cautiously, to avoid breaking any sites.

A small subset of sites would be tested first, so that any problems can be identified and corrected before the majority of sites are updated. Sites would be updated one version at a time, to minimize the number of things that could go wrong.

Auto-updates of old branches would be done at a different time than new releases, to avoid a situation where there could be multiple problems to troubleshoot at once.

The process for auto-updating insecure versions would look like this:

Note: This has been edited since it was published, to incorporate feedback from the comments.

  1. Publish a post on wordpress.org/news, to inform the wider world about the upcoming updates as far in advance as possible. A specific date for updates will not be known at this point, but it will be at least 6 weeks in the future.
  2. Release 3.7.30 - 4.6.15, which will:
    1. Allow admins to opt-out of major auto updates by clicking a simple button.
    2. Email all site admins/editors to ask them to upgrade to the latest version, and inform them that their site will be auto-updated to 3.8 in the near future if they don’t opt-out. It will link to some documentation with more details, and include a link that they can click to opt-out. They’ll be warned about the security implications of opting-out. Editors won’t be able to directly install the update, but they can reach out to admins who can.
    3. Add an adminadmin (and super admin) notice within wp-admin, containing similar information as the email. The notice will be visible to all site users.
    4. If users opt out, they will no longer get the emails asking them to update, but will continue seeing the wp-admin notices.
  3. Test auto-updating 3.7 to 3.8 against test sites, and make any necessary improvements to the auto-update system.
    1. One necessary modification would be to email the site owner if the auto-update fails and is rolled back to 3.7. The email should be a strongly-worded warning, letting them know that their site could not be upgraded to a secure version, and that they should manually update immediately. If they don’t update, it’s almost guaranteed that their site will be hackedhacked eventually.
    2. Similarly, if the auto-update fails and the user is stuck on an insecure version, an admin notice should be displayed in wp-admin with a warning similar to the email above. This would replace the pre-release banner from 3.7.30 described above.
    3. We could potentially look into ways to make an educated guess about the chance of an undetectable error, and abort the update on those sites, to minimize the risk of breaking something. For example, if a known incompatible pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is installed. In those cases, we’d want to send the admin the same warning email & admin notice, letting them know that they’re stuck on an insecure version, and need to manually update immediately.
  4. Update the Core handbook with details on the new process, so that everyone knows how to deployDeploy Launching code from a local development environment to the production web server, so that it's available to visitors. major auto-updates.
  5. Publish a document on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ explicitly stating a support policy, to avoid confusion.
    1. Only the latest major version is officially supported and guaranteed to receive security updates.
    2. There are no LTS releases, and all releases older than the current release are EOL.
    3. We make an effort to backport security fixes to the previous 5 major releases, but no guarantee is made, as sometimes it is not feasible or practical.
    4. Everyone is strongly recommended to always run the latest major version.
  6. T-30 days: Release 3.7.31, which will:
    1. Send all site admins and editors a 2nd email, similar to the 1st, letting them know that their site will be auto-updated to 3.8 in 30-45 days, and include instructions to opt-out, etc.
    2. Update the 3.7.30 wp-admin notice to include the date range of the impending update.
    3. Include any necessary improvements to the auto-update system, as described in step 3.
  7. Deploy the auto-updates in phases:
    1. The general process would be to deploy to a subset of 3.7 sites, then wait 1 week to see if any issues are reported. If anything unexpected happens, the process can be paused in order to fix those issues, and then restarted.
    2. T-0 days: Deploy to 2% of 3.7 sites, selected randomly to get a representative sample.
    3. T+7 days: Deploy to another 18%.
    4. T+14 days: Deploy to the remaining 80%.
  8. If all goes well, the process can be repeated to update 3.8 sites to 3.9, and so on until all sites are running 4.7. Some of the steps can be automated to make the process easier in the future.

Feedback

  • Overall, would you like to move forward with the general approach of this policy/plan?
  • Would you make any tweaks to improve it?

Update: The policy and implementation plan have been updated to clarify some miscommunications that were revealed in the comments:

CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.’s official policy has always been to only support the latest version, and this proposal does not intend to change that. It only means to impact the number of versions that we backport to, and to start auto-updating very old versions to a more recent version.

This is consistent with — and moving towards — the Core team’s pre-existing long-term plan of getting to the point where all WordPress sites are running the latest version automatically and transparently, similar to how Chrome and other modern software work.

Older versions are not guaranteed to receive all security updates, since that is not always possible. The versions that receive updates would not be considered LTS versions; they would only receive the security updates that are feasible to backport. Everyone should always run the latest version.

This proposal is not intended to become permanent. It seems like a prudent action for the current situation, but like everything else, it should be re-evaluated in the future, as the situation changes.

#auto-update, #security

Ian Dunn 3:14 am on December 13, 2018
Tags: , ,   

Backwards Compatibility Breaks in 5.0.1

5.0.1 was just released to fix several security bugs. The Security team tried very hard to mitigate all of the vulnerabilities without any back-compat breaks, but unfortunately there were a few cases where that was not possible.

Security patches are backported to the 3.7 branchbranch A directory in Subversion. WordPress uses branches to store the latest development code for each major release (3.9, 4.0, etc.). Branches are then updated with code for any minor releases of that branch. Sometimes, a major version of WordPress and its minor versions are collectively referred to as a "branch", such as "the 4.0 branch"., so these BC breaks also apply to versions 4.9.9, 4.8.8, etc.

Form element no longer passes KSES

Prior to 5.0.1, the $allowedposttags array contained an entry for the <form> element and some of its attributes. Because of that, Contributors and Authors could use it in posts.

The element was removed in 5.0.1, except for situations where a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has explicitly registered input or select fields via the wp_kses_allowed_html filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.. If a Contributor or Author includes <form> in their post, it will be removed when the post is saved. It will also be stripped from arbitrary content that plugins pass to wp_kses_post() or wp_kses_allowed_html( 'post' ).

If a plugin author wants to restore the original behavior, they will need to add form, input or select tags via wp_kses_allowed_html. Please exercise caution when doing so, because this could re-introduce a vulnerability. Make sure only trusted users are allowed to add <form> tags. 

meta_input, file, and GUID inputs are ignored

Prior to 5.0.1, $_POST requests for creating posts could contain values for meta_input, file, and guid. This is no longer true, and values passed for those fields will be ignored.

Plugins should not manually manipulate $_POST, but rather use the appropriate filters, and always validate/sanitize any data coming from an untrusted source.

MIME validation for uploaded files

Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension.

This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).

#5-0, #5-0-1, #dev-notes