Next WordCamp.org ticket scrub on July 18th, 2019

This ticket scrub will happen on 2019-07-18 17:00 UTC in the #meta-wordcamp channel.

The focus is on MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. tickets with the WordCamp Site & Plugins component.

Comment below if there’s a specific ticket or topic you’d like to discuss.

+make.wordpress.org/community

#agenda, #ticket-scrub, #wordcamp-org

Security Audit for WordCamp Remote CSS Plugin

UPDATE: The pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has been deployed, so please disclose any vulnerabilities privately, either on Hacker1, or by pinging me privately on Slack.


The WordCamp Remote CSS plugin is ready to deployDeploy Launching code from a local development environment to the production web server, so that it's available to visitors., but before I do that, I want to get some extra eyes on a few potential attack vectors.

The plugin lets organizers develop their CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. with any tools/environments/platforms they want (rather than in a browser with Jetpack’s CSS editor), and then the plugin will download a copy of the CSS file from a remote server, sanitize it, cache it locally, and enqueue it as an extra stylesheet.

You can browse the source on GitHub. (It’ll be moved to the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. repo before it’s deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors..)

These are what I see as the weakest points, and why I think they’re safe:

  • validate_remote_css_url() – This makes sure the file we’re about to download meets our expectations. If this allowed any URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org, it’d be open to SSRF attacks. To avoid that, only specific platforms (like GitHubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/) are supported. Additionally, only URLs with a .css extension are allowed.
  • output_cached_css() – This outputs the user’s CSS on the front-end, after it’s been sanitized. There’s no escaping, because it’s CSS, but it’s already been sanitized. The correct content-type headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. is sent, to prevent browsers from interpreting it as HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites.. I guess if the database is compromised, the content could be manipulated, but if that happens then there’s probably a hundred different things the attacker could do, so I don’t think there’s really anything to do in that case.
  • webhook_handler() – This listens for notifications from webhooks that a repository has been updated, and refreshes the cache. It doesn’t require any authentication, because the worst an attacker could do would be to force us to unnecessarily refresh the cache. To avoid too many requests, though, it is rate-limited.

Does anyone see anything I’ve missed there, or anywhere else?

If you’d like to test it live, you’ll need to cherry pick 2955-jetpack.

 

cc @kovshenin

#code-review, #security, #wordcamp-org

Weekly i18n Chat Notes – September 22, 2015

Earlier today a handful of us gathered to talk about life, the universe, and things that may or may not relate to the metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team and i18n. Here’s a bit of what we talked about:

  • Plugins: Last week imported our first set of plugins into translate.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/! Hurrah! Huzzah! 🎤⬇️ And because we were feeling good about it, we also sent out emails to the second batch of pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors (~200 plugins). That import will start today or tomorrow and we’ll send out emails for the next import soon.
  • Translate: The stats page got some love with the addition of the Waiting column (see #1202) and some improvements to the design (see #1238).
  • Theme Directory: @obenland started work on the Translations section by adding a link to translate any theme to the page. Check out the Twenty Sixteen theme page for an example.
  • WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more.: Set things up so the WordCamp theme can be translated (see #1076), pending deployment by the WordCamp team.
  • Forums: There was a mention that the Italian forums are not working. @ocean90 will investigate. Additionally, we’ve had a couple of requests for new forums. We think it’s okay to add new ones for testing purposes. For example, an RTL forum would be appropriate.

For the next week, we’re planning to work on the following:

  • Import and language pack status of plugins sent to a SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. channel.
  • Sorting / FilterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. UIUI UI is an acronym for User Interface - the layout of the page the user interacts with. Think ‘how are they doing that’ and less about what they are doing. finished up (or whatever we call it).
  • Streamline the process of adding per-project translation editors (see #1237 which requires #1240).
  • Work on updated design for project pages in Translate.
  • Possibly: More Theme Directory translation section additions.
  • Possibly: Rosetta headers fixed up (see #1201).
  • Possibly: Job system started.

See y’all next Tuesday at 11:00 UTC!

#forums, #i18n, #l10n, #meeting-notes, #plugins, #stats, #theme-directory, #translations, #wordcamp-org

Editing WordCamp.org CSS Locally with Git

Over on make/Community, we’ve been discussing ways to eliminate some of the worst pain points that WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. organizers have with building their sites.

There’s one discussion in particular that I’d love to get feedback from MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team members on, which is determining the best way that we can support a traditional development workflow.

Right now organizers have to edit the CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. for their site in Jetpack’s CSS editor, which is painful because it wasn’t intended for the kinds of use cases that we have.

Instead, we want to allow organizers to build their sites in a local sandbox, managing the code with GitGit Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. Most modern plugin and theme development is being done with this version control system. https://git-scm.com/., and be able to easily push updates to production.

If anyone is interested in giving feedback or helping to build the tools we need, please check out the discussion.

#git, #sandbox, #wordcamp-org

HTTPS on WordCamp.org Update

Hey all, just a brief update on the status of HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. for WordCamp.org sites.

We’ve enabled HTTPS on all WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. sites and rewrote the URLs, even though we’re not forcing it yet. The majority of the traffic will likely hit HTTPS from now on, and we should catch and fix all (or at least most) mixed content warnings before forcing it. Most of these are probably related to embeds from Flickr, Typekit and other third-party services.

So if while browsing any WordCamp.org site you’ve stumbled upon a page with mixed content warnings, please leave a comment with the URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org. You can identify these by the “broken” lock in your browser address bar, or the shield icon which prevents execution of unsafe JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/.:

Screenshot 1430407541 2X

Thanks!

Update: We’re now forcing HTTPS on domains that support it.

#wordcamp-org

Segments in CampTix

One of the features we were asked to develop for CampTix (the WordCamp.org ticketing pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party) is the ability to e-mail attendees based on custom segments using the Notify section in Tickets → Tools. This will allow organizers to get in touch with very specific groups of peoples, such as those who opted in for vegetarian lunch, or those who selected women’s XS t-shirt size.

CampTix Notify Segments Screenshot

The feature’s been pushed to the notify-segments branch in the GitGit Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. Most modern plugin and theme development is being done with this version control system. https://git-scm.com/. repo. We would appreciate a few extra eyes on the new feature before we start rolling it out to WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. organizers. Any weirdness can be reported in #920-metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress..

Thanks!

#wordcamp-org

I just posted a couple things to the…

I just posted a couple things to the Community team p2 that could benefit from getting feedback from developers in the community:

#customizing-themes, #jetpack-css-editor, #wordcamp-org

Project Updates: Meta Environment, WordCamp Payments, and WPTV

Since WCSF, we’ve made significant improvements to the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. Environment, launched the WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. Payments pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, and open-sourced WordPress.tv.

Meta Environment

The Meta Environment has seen a lot of improvements since it was introduced in June, especially in the past few weeks.

  • We’ve added developer.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/, global.wordpress.org, apps.wordpress.org, wordpress.tv, and jobs.wordpress.net.
  • It’s also transitioned from being a full fork of Varying Vagrant Vagrants, to being only the scripts needed to provision the sites into an existing VVV installation, which is a huge win for maintainability.
  • Also dozens of smaller tweaks and improvements.

So far the feedback has all been positive, and I think it’s becoming a useful tool for contributors. props to @netweb, @iamfriendly, and @miyauchi for their contributions.

WordCamp Payments

The new WordCamp Payments plugin has launched, along with the corresponding Payments Dashboard plugin by @kovshenin. These plugins provide a centralized and streamlined way for WordCamp organizers to request payments to their vendors by WordCamp CentralWordCamp Central Website for all WordCamp activities globally. https://central.wordcamp.org includes a list of upcoming and past camp with links to each., which will save a lot of time over the current method.

We’ve also discussed here, and here expanding the plugins to include sponsor invoices as well.

WordPress.tv

The theme and plugins[1] for WordPress.tv are now open source, thanks to @obenland, and some improvements are already being planned by the WPTV moderators.

It’s also been added to the Meta Environment to make contributing easier.

[1] – Since it’s hosted on WordPress.comWordPress.com An online implementation of WordPress code that lets you immediately access a new WordPress environment to publish your content. WordPress.com is a private company owned by Automattic that hosts the largest multisite in the world. This is arguably the best place to start blogging if you have never touched WordPress before. https://wordpress.com/, the plugins are bundled in a plugins folder inside the theme, which is the convention for VIP sites.

Get Involved

In addition to contributing to the projects above, there’s been some recent discussions — here, and here — on an invoicing feature for CampTix, which would save a lot of time for WordCamp organizers.

If you’d like to help out, read through the chat transcripts, and then submit a patch to #103 on GitHubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/.

#updates, #varying-vagrant-vagrants, #wordcamp-org, #wordpress-meta-environment, #wordpress-tv

Quick WordCamp org update We’re working on the…

Quick WordCamp.org update! We’re working on the URL structure change as well as some minor changes around organizers reminders and the payments pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party. We’ve also releaseRelease A release is the distribution of the final version of an application. A software release may be either public or private and generally constitutes the initial or new generation of a new or upgraded application. A release is preceded by the distribution of alpha and then beta versions of the software. a small update to the CampTix plugin, so if you’re using it outside of WordCamp.org you should update immediately.

#wordcamp-org

WordPress Meta Environment

Setting up local development environments to contribute to the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. sites can be an obstacle for those without access to the private subversionSVN Apache Subversion (often abbreviated SVN, after its command name svn) is a software versioning and revision control system. Software developers use Subversion to maintain current and historical versions of files such as source code, web pages, and documentation. Its goal is to be a mostly compatible successor to the widely used Concurrent Versions System (CVS). WordPress core and the wordpress.org released code are all centrally managed through SVN. https://subversion.apache.org/. repositories or a sandbox, especially at a meetupMeetup All local/regional gatherings that are officially a part of the WordPress world but are not WordCamps are organized through https://www.meetup.com/. A meetup is typically a chance for local WordPress users to get together and share new ideas and seek help from one another. Searching for ‘WordPress’ on meetup.com will help you find options in your area. or WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. contributor dayContributor Day Contributor Days are standalone days, frequently held before or after WordCamps but they can also happen at any time. They are events where people get together to work on various areas of https://make.wordpress.org/ There are many teams that people can participate in, each with a different focus. https://2017.us.wordcamp.org/contributor-day/ https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/., where time is limited.

We’ve talked a bit before about making this easier by creating a Vagrant configuration, so I put together a prototype based on Varying Vagrant Vagrants, with WordCamp.org as the first site. The sample data needs a little love, but other than that I think it works pretty well.

I’ll test it out with some people this weekend at WordCamp Seattle. If anyone on the team wants to add other sites or make any changes, just let me know and I’ll add you to the repo.

#contributing, #vagrant, #varying-vagrant-vagrants, #wordcamp-org, #wordpress-meta-environment