Potential Abuse of “Email Personalized Schedule” Feature

r6268-meta adds a new feature where WordCamp attendees can bookmark sessions on the schedule that they want to attend, and then e-mail themselves their personalized schedule (per #2733-meta). The feature is aimed at attendees, so it doesn’t require logging in to an account.

Screen Shot 2017-12-13 at 2.51.12 PM

The email portion of that is temporarily disabled, though, so that we can discuss the potential for abuse, and any necessary mitigations.

As far as I can tell, there are 3 primary scenarios for abuse:

“Dumb” bots

These are the ones that just search for any

they can find, and POST spam content to it. These shouldn’t work at all, since the
doesn’t have an action; instead, JavaScript traps the click event and sends the request to the REST API. Even if the bot tried to POST the request to the current URL, that still wouldn’t trigger the handler.

“Smart” bots

These are advanced enough to be able to interact with the DOM. I still don’t think these would work, because the handler returns early if no session IDs are passed. In order to actually send an email, the bot would have to star a session, meaning that it would have to be tailor-made to this particular plugin.

I don’t think anybody would go to that much trouble, since they could get much more impact for far less effort elsewhere. They wouldn’t be able to send any spam content, all they would achieve would be annoying the recipient, and hurt our server’s spam reputation. Annoying the recipient could be done more easily with millions of web forms that don’t require any complex interactions. Hurting our server’s reputation is plausible, but still seems very unlikely.

That doesn’t seem like a compelling enough reason to burden the user with a CAPTCHA, or to take up our limited time and introduce non-essential complexity with a rate-limiter.

A human manually submitting the form

This is essentially the same as a “smart” bot; the costs seem to far outweigh the benefits.

If we get any reports of abuse, or notice our mail server being blacklisted, then we can definitely temporarily disable the emails with email_fav_sessions_disabled() and work on a fix, but it seems premature to do anything right now.

Waiting until there’s actually some sign of abuse saves us the opportunity cost of spending time on a feature we’ll probably never use, and it also puts us in a better position to correctly fix the abuse in the unlikely event that it does happen. Right now we’re just guessing at how it might be abused, but if it does actually happen, then we’ll know the details and will be able to address it directly.

What do you all think? Do you all have any objections to turning it on?

#prio2

Node.js 8.x on build server

Hi, as per #3320-meta could we please have a Node 8.x LTS release installed on WordPress.org?
This will be needed for WordPress 5.0 & Gutenberg (once merged) build scripts to operate.

Currently we have a 0.10.x & 6.9.x release available in the nodejs-base role.

#prio2

#3320-meta

Me (@otto42) and Scott (@coffee2code)…

Me (@otto42) and Scott (@coffee2code) need ssh access to wordpressfoundation.org, if we don’t have such access already. This is so that we can change around the payment systems for donations, as requested by Matt.

Cache corruption issue

Something is causing the Credits API results cache to be corrupted – I’m assuming a job somewhere is triggering it, but I have no way to track it down.

Are you able to find out what is writing to the props-4.9 key in the core-credits-api cache group?

#prio2

Incorrect Return-Path on mail from wordcamp.org

The Return-Path is currently set to bounce@wp.com, which may be contributing to emails getting marked as spam for some recipients. Relevant headers from one such email:

Received-SPF: Neutral (zoho.com: xx.xxx.xx.xxx is neither permitted nor denied by domain of bounce@wp.com ) client-ip: xx.xxx.xx.xxx
Authentication-Results: mx.zohomail.com;
    spf=neutral (zoho.com: xx.xxx.xx.xxx is neither permitted nor denied by domain of wp.com) smtp.mailfrom=bounce@wp.com
Return-Path: <bounce@wp.com>
...
Date: Fri, 20 Oct 2017 12:20:46 +0000
From: WordPress <wordpress@wordcamp.org>
Reply-To: support@wordcamp.org

This same issue has come up before (1, 2), and it appears that the Return-Path was changed at that time, so perhaps it was somehow reverted at a later date?

cc @stankea

#prio2

Hi, can you please setup…

Hi, can you please setup proxy access for @casiepa? As a polyglots mentor he’ll be helping out with managing rosetta sites and will need access to the global.WordPress.org network.

His public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvMct8ARk0CEftQLiMZETj2Ndsk6Ns7sFaq6iLGybf2hFXNRY9rHSeZIACzlBoFm7UwKp9FCBbYW/ead4xVV3XaX20UeF2JB5TtlJ7mdQK9Rdd0NQq60EL5pNmPHKbOf2gHuULovuU/CzzUw/MGUxk8HIpRa+x9WdXsDjmsMF7Y5x/a4w4nypvojKh1YTT7VfH8s9c7buy5S0G8VZr+e/wqPKwl5BoSTuxGPxk5vsFYzJ7gSVkUGNMU62h/MP6c5QeP4KqzdhdsVOe04HWGrC37IkFRblUnHieYWoK9EIKUCkQwqXMOOlrID0Ll8JcbuN0E3LsUGLjb8+5fhBXECshl7nIfhbSL+1zhrEoibDH1Nvcxe96Xaj4OqObh4AZIS4aQNumtMZV56D5bpFzs47QXa3dzml8Nv6eEChUcZMzm0duxV1wteNeteSTgNkrFRoaqBUsb/n35iwgQZ0l7ulzjB79ZCz1ufp9HUQn1F0JGDjasyPupJzBBurhROcb1PNc5+nBB1UGQsSdWkUSTavLpgyZBPN4O8s05FxOduYcBxcZrl78eQECHVDE3vHlOMxCZO26L8FsAfVRCopCEDAyHlnqSvtYbjmZvq7ynE9dy+ABfFYQxhp1zJMo8dXPEuzsckzaViTOyaTr13paWEP3QRJJPlpjL0emsB/oVZ0i4Q== pascal.casier@gmail.com

Thanks!

#prio2

Hi, can you please setup…

Hi, can you please setup proxy access for @coachbirgit? As a polyglots mentor she’ll be helping out with managing rosetta sites and will need access to the global.WordPress.org network.

Her public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLEeqcc5blku3s2AS5hvwF7yYVb6pAzbpx3Dg8a2a3RbxNXIIb21099UB6vCwtFqu0en8cU3S944KsDJ69H39B3y11qndjKy2TnH+a8N7TgBfFBQ5yOClAAUHKg/PwIiZyF1AXpmUBHr9OSPHrSsSrOcpfxDnbR9bcxPambP2G8T1eLgxuL+EMwvHZyg1ELDbr8+Ns/OtaHdx1ps0gVT40F5FyeBZLxNtCGDqpTg+KP0feAgHLu2S/EL/tNhhXLqfIiF07WBc5QpqyVhovcuKH7D2IzPmNeyPoTisMIq27kRh2MRbhhm6UAqL89rws3HqpunEPayKXv8NtbzjBAQvyeSkiF7Lyxwhn2fhKn5LyEI7qsRjdfTGRQVayLklyyPYPDpt3ljdxjf/AqIRAZz8g+80ZDIWtrORCIU8VybzUNpL9jgq37xVTcKRQS3NtVskPJRQa83Pv0FyF+pVQIrsIfOWpWcUNqBtMoj3pBv0vtqGl/M8JTLBzBgK68/DDg3Igq1Zj9NCYRyrkkPTcluuWwkNfn1XPzOrI1N68upksbUkby1ivmd5L8XChWdyhM97GTejvJFCTvzHlMLGDFZ40XYPPdW2GjO5igWjRu+6hgNVVqtk8ZrvlRjxvYygULk7U7olwAwCFSE25OejojdSBaYdcIbkXpS17cj6mwXWZQw== coachbirgit@gmail.com

Thanks!

#prio2

Update Apache on lists.wordpress.org

A report came in via HackerOne informing us that lists.wordpress.org is running a version of the Apache web server which contains several known vulnerabilities. It should be updated to the latest in either the 2.2.x or 2.4.x branch.

#prio3

CAA for wordpress.org

A report came in via HackerOne recommending that Certificate Authority Authorization be implemented for wordpress.org (and other W domains).

CAA allows a domain owner to restrict which CAs are allowed to issue certificates for the domain. It’s been useless until quite recently: the CAB Forum recently voted to enforce CAA checks for all new certificates starting next month, so it’s definitely a useful measure to implement.

More info: https://scotthelme.co.uk/certificate-authority-authorization/

#prio3

Could you please make a…

Could you please make a w.org sandbox for @sergeybiryukov? Here’s his public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUu7co8f4xxOAtN4AASut9N64MhOIDuHGUzJMr29yTU4OY4SfLaAmnOYggUqBO9dWUNo6dtNcqqSdF8A4lpUdkk5JTkrXHsu1Ah+EjchdnOCffJYRBdHI+x6esL9gIS31VANkmoMMc+PVf5PP+E0rXSUoop2nwHR5RUKqSYafKXs5KRgU9l35Zwc48swPbq0X+swx19MMOtsdZzSKrcOdVJntn9z+WN2YyqobE3v15/uqaRzcTrcn6EPwVWsHY8xMfsIVFlHDMtnXSw25gSCcQWkGg0LAb//LNGY0bzDgBO9NW5+TYnKUTETES//S+haFNzy6kSULaH5KiXmOXlWWxWiDhXccNdKnCU4yuyYcZfMOUWZInDSlnwlYCDFpA71o6wfpLnO2w8NWUcpK7GLKX/qbOBox0pAsskxIRnEpxSUnd0J1eQrfAQzJuy5cgZrrGJlyVsFJWW18njYY0D6h4806JaHiX2wGSA6f7LfMEKA315B2OcFsfpDIwBXsfqYBgcB+DVrPU6qoSRz2T1+XBumZHIUVdrx5FqA8bWEvWt4IWJ4jp3KbRjqF33ug3u79GV3HG6t69Jv0NdfR8wi4JdLmtvYKQ0W7mEGhlRONKcMoRfP2aU74AHUJSJl6f7eOlOTF6hep6n0SzCXfYsneGqbzY84ElKfMt4267hR7FUQ== sergeybiryukov.ru@gmail.com

#prio2