Update Apache on lists.wordpress.org

A report came in via HackerOne informing us that lists.wordpress.org is running a version of the Apache web server which contains several known vulnerabilities. It should be updated to the latest in either the 2.2.x or 2.4.x branch.


CAA for wordpress.org

A report came in via HackerOne recommending that Certificate Authority Authorization be implemented for wordpress.org (and other W domains).

CAA allows a domain owner to restrict which CAs are allowed to issue certificates for the domain. It’s been useless until quite recently: the CAB Forum recently voted to enforce CAA checks for all new certificates starting next month, so it’s definitely a useful measure to implement.

More info: https://scotthelme.co.uk/certificate-authority-authorization/


Force SSL for plugins-dev.bbpress.org

It looks like https://plugins-dev.bbpress.org/ uses basic auth and can be used over http. Can we force https?


Symlink for new template file on meta.trac

[4621] adds a new template file for meta.trac.wordpress.org which, according to @nacin, needs to be symlinked.

Could someone do that please? Thanks!


HTTPS for glotpress.org

http://glotpress.org is currently just a redirect to https://glotpress.blog/ but when accessing glotpress.org via https you’ll get a warning about an invalid certificate because it uses the *.wordpress.org one.

Can we get a proper certificate for glotpress.org? Noticed this because https://hackerone.com/wordpress links to https://glotpress.org.


Whitelisted WordCamp Production Data for Dev Environments

Right now WordCamp devs use a small subset of the production database that was manually created, because it wouldn’t be safe to keep copies of the production database in local environments.

That works good enough for most things, but we keep running into situations where reproducing bugs and testing fixes is much harder, and takes much longer, than it would if we had real-world data to work with.

So, I’d like to create a way to safely use a whitelisted copy of production data in local environments. Here’s how I envision it working:

  1. Create a script that runs on the production web server once a day
  2. It would create a copy of the primary database on the production database server
  3. Then run lots of SQL commands against that copy in order to redact anything that hasn’t been whitelisted
  4. Have another script in dev environments that uses sftp to download a copy of the whitelisted database once a day

The whitelist would contain a list of tables, columns, and keys that have been determined to not have any sensitive data. For example:

  • wp_users – The table itself would be whitelisted, but only the ID, user_login, user_nicename, user_registered, user_status, display_name, spam, and deleted fields would be whitelisted. Because user_pass, user_email, and user_activation_key would not be in the whitelist, the script would replace the contents of those columns with [redacted] (or in the case of user_email, redacted@example.org).
  • wp_usermeta – The table itself would be whitelisted, along with the umeta_id, user_id, meta_key, and meta_value columns, but only certain meta_key rows would be whitelisted. For instance, first_name, last_name, description, and wp_capabilities would be whitelisted, but session_tokens and wordcamp-qbo-oauth would not be.

Additionally, the script would have some logic to redact potentially sensitive values within whitelisted columns. For example, any e-mail addresses inside a meta_value value would be replaced with redacted@example.org.

What does Systems think about that? I’d do all the work to build the script, but I want to make sure you don’t have any security/privacy concerns.


Can we get irclogs.wordpress.org updated…

Can we get irclogs.wordpress.org updated from the latest svn?

A recent commit was made to restore the listing of archives (re: #meta-2448).

#irclogs #prio3

SSL for wp.org

As wp.org is now a WordPress.org domain, can we please get SSL enabled for it?

ref https://wordpress.slack.com/archives/meta/p1480801420000002 / https://wordpress.slack.com/archives/meta/p1480909161000077


ERR_SPDY_PROTOCOL_ERROR on certain paged plugin searches

As reported in https://meta.trac.wordpress.org/ticket/1860 W.org is responding incorrectly for certain requests, I’m unsure what the cause is and whether it’s a nginx config or not.

Here’s a cURL command to reproduce:

$ curl -v 'https://wordpress.org/plugins/search.php?page=2&q=plugin'
*   Trying
* Connected to wordpress.org ( port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.wordpress.org
* Server certificate: Go Daddy Secure Certificate Authority - G2
* Server certificate: Go Daddy Root Certificate Authority - G2
> GET /plugins/search.php?page=2&q=plugin HTTP/1.1
> Host: wordpress.org
> User-Agent: curl/7.43.0
> Accept: */*
* Empty reply from server
* Connection #0 to host wordpress.org left intact
curl: (52) Empty reply from server

This is lowest of the low priorities, more as a FYI. The plugin directory will hopefully retire soon and this isn’t reproducible against the new directory, most likely due to the change from query variables to rewrites. If this is a wontfix I don’t think anyone will mind.


Can’t delete forwarders in WordCamp.org cPanel

Recently we started getting errors when trying to delete forwarders. For example:

Unable to locate the forwarder “waukesha@wordcamp.org” for account “example@gmail.com” on domain “gmail.com”.

We can still add them, though.

I tried manually edited /etc/valiases/wordcamp.org, but it just got overwritten a few minutes later with same contents it had before, so it seems like it’s not the canonical source for that data.

You can use the iandunntest2 forwarder for waukesha@wordcamp.org as a test.