IRC Meetups/2006/April/April19RawLog

跳转至: 导航搜索

[17:04] photomat1 let's get started br /[17:04] photomat1 meetup br /[17:04] photomat1 big turnout this week br /[17:05] photomat1 any particular reason? br /[17:05] lightdifference spring break maybe? br /[17:05] stevecooley all back to knowing what time to show up? br /[17:05] mdawaffe We all come out for a good HTTP standards debate! br /[17:05] photomat1 word br /[17:06] photomat1 before we GET busy, anyone have any WP news or sorts to toss in? br /[17:06] ringmaster Looking for insight on nonces, and who made up that silly word. br /[17:06] photomat1 anything happen this week? br /[17:06] photomat1 besides the easter massacre br /[17:06] lightdifference photomat1: is lifting off the ground. br /[17:06] photomat1 lightdifference: sweet, that's good to hear br /[17:07] photomat1 who's involved with the project? br /[17:08] lightdifference photmat1: NuclearMoose is leading, and I've been told to hush down about it until we get further. br /[17:08] TonySt Lightdifference, NuclearMoose, Fightingfriends, fimion... br /[17:08] lightdifference tunicwriter! br /[17:08] TonySt And tunicwriter, yes... br /[17:09] photomat1 sounds quite groovy br /[17:09] lightdifference and BigJibby br /[17:09] photomat1 one thing I would like to point out br /[17:09] photomat1 is Podz's suggestion on the wp-forums list, which I think is really cool br /[17:10] photomat1 basically a free WP installation service br /[17:10] photomat1 seems like a nice people to introduce people into the community br /[17:10] mumbles wouldent that mean having there account details to do it with ? br /[17:10] Podz could we have a bit of space on for that? Keep it away but also part of wp? br /[17:10] photomat1 Podz: sure br /[17:10] lightdifference that would be quite cool. br /[17:10] Podz cool :) br /[17:11] photomat1 any way I can support it, let me know br /[17:11] TonySt That might be a security issue br /[17:11] Podz mumbles, they give all their info. we install it for them br /[17:11] ringmaster ...and steal their accounts to send spam. Perfect. I'm in! br /[17:11] * Parts: BeauBright br /[17:11] Podz TonySt, it's what many of us do anyway when we get emailed. doing this just makes it more public br /[17:11] mumbles haha br /[17:12] photomat1 you guys are thinking like developers, not like users br /[17:12] mumbles yeh ive done a few installs myself as well. br /[17:12] lightdifference Podz: I can help out. br /[17:12] mumbles for other people br /[17:12] mdawaffe Podz: will you upgrade sites that you installed as well? br /[17:12] TonySt Podz: Hm.... There best be tight control, then br /[17:12] lightdifference the scary thing is when people IM to and offer to pay you to install OSS. br /[17:12] Podz mdawaffe, doubt that - but it's all still being discussed on the list. br /[17:12] photomat1 we already have concepts of trust with each other based on how long someone has been around, how they contribute, etc br /[17:12] lightdifference you* br /[17:13] * mumbles wonders whats up with his user for the wiki br /[17:13] TonySt photomat1: It's not who we trust, but who people say they are that i'm worried about br /[17:13] photomat1 anyway, the discussion is happening on wp-forums if any of you guys want to pitch in br /[17:14] photomat1 I think it's refreshing br /[17:14] photomat1 it's something I would have never thought of because my brain just thinks of all the edge cases, security, upgrades, hassles, legal stuff, etc br /[17:15] photomat1 which is idea-paralyzing br /[17:15] Podz TonySt, true - that's the core issue but i think we've got it covered br /[17:15] stevecooley OSS doesn't always mean easy to install :) wordpress happens to be extraordinarily easy to install... br /[17:15] TonySt Podz: I'm just skeptical - I'm sure it'll all be fine and it'll work out great br /[17:15] stevecooley some of those groupware OSS packages.... oof br /[17:15] lightdifference *cough* mt *cough* br /[17:15] Podz mt is easy :p br /[17:15] photomat1 as we get bigger and more experience, etc, we shouldn't lose that startup mentality that anything is possible br /[17:16] * TonySt is now known as TonySt|Away br /[17:17] photomat1 okay, everyone put on your asbestos suits, let's talk about the birds and the bees, the GETs and the POSTs, and how blogs are created br /[17:18] * westi|gone is now known as westi br /[17:18] photomat1 mdawaffe: want to start us off? br /[17:18] mdawaffe Some traffic on wp-hackers has set off the old POST v GET br /[17:19] photomat1 a thread that was started because of someone complaining about the referrer check br /[17:19] mdawaffe I like the idea of doing hardcore security checks on POSTs and offering confirmation prompts on GETs br /[17:19] mdawaffe yes br /[17:19] mdawaffe but it's a separate (tough related) issuue br /[17:19] photomat1 I think it's interesting that they weren't complaining about security, but rather the user experience br /[17:20] photomat1 and the thread got obsessed with security br /[17:20] mdawaffe Yes - I wholly agree - that's why I tried to spin it off just now into a new (correlated) thread br /[17:22] mdawaffe Here's what I mentioned on hackers: br /[17:23] photomat1 my main concern is around the experience br /[17:23] photomat1 underscored by the fact br /[17:23] photomat1 that the stupid mail approve comment confirmation has been driving me bonkers since it was added br /[17:23] mdawaffe but maybe hackers is the better place for that discussion. I just wanted to point out exactly what photomat1 pointed out already: the difference between needing security and needing a good interface (both important) br /[17:23] mdawaffe ha :) blame me for that one, photomat1 br /[17:24] photomat1 grr :-p br /[17:25] photomat1 for almost any situation, we can think of something that COULD happen to compromise security br /[17:25] photomat1 the problem becomes when fixing something appears attainable, we all want to code up a storm to block that hole br /[17:25] photomat1 even if it may compromise what was previously a smooth flow br /[17:26] photomat1 there is a conceit that users are idiots and we must protect them from every possible flaw or attack br /[17:26] photomat1 but I think the cookie auth part of the thread was telling br /[17:27] photomat1 not using sessions, etc, was a deliberate decision br /[17:27] mdawaffe which part? that WP is inherently insecure and has been since its inception? br /[17:27] photomat1 we're vulnerable to man-in-the-middle attacks, but so are most applications in the world that don't use SSL br /[17:27] mdawaffe (a statement I don't give two bits to) br /[17:28] mdawaffe I consider that a non-issue br /[17:28] mumbles how hard would would it be to get ssl and wordpress playing nicley ? br /[17:29] mdawaffe I do think, however, that a good flow can be maintained while still blocknig all the holes. We just have to get smart. Perhaps Mark and Owen's ideeas will do just that. br /[17:29] photomat1 mumbles: we have a plugin that does it br /[17:29] mumbles really? goes to google br /[17:29] photomat1 secure-admin br /[17:30] mdawaffe br /[17:30] photomat1 it's what we use on, it also encrypts everything on the cookie level as well as using SSL br /[17:30] ringmaster I think that our ideas are sound. We could even take it a step more toward your (mdawaffe) idea, and make ALL of the solutions pluggable, so whichever one was irritating your client could be removed. br /[17:30] photomat1 but is very much an edge case br /[17:31] mdawaffe photomat1: I think the encryption is handled by a different plugin. (true?) br /[17:31] photomat1 just an include, which I believe we include br /[17:31] photomat1 the encryption part is pluggable br /[17:31] photomat1 ringmaster: then we'd end up mostly where we are now br /[17:31] mdawaffe right br /[17:32] mdawaffe ringmaster: I like pluggable br /[17:32] ringmaster But with Are you sure? questions when all of the detection methods fail. br /[17:32] photomat1 why not have a plugin for people who are paranoid? br /[17:32] photomat1 one step below SSL br /[17:33] * TonySt|Away is now known as TonySt br /[17:33] photomat1 and to complement it, a plugin for people who don't give a dang which turns our built-in referrer check off br /[17:34] skeltoac Don't forget the plugin that denies access to everyone forever after activation. br /[17:34] mdawaffe photomat1: turn off the referer check and perhaps some of the confirmations as well. That way, core is shipped with tight security, and plugins are available to loosen or batten down the hatches br /[17:34] * Joins: rboren br /[17:34] ringmaster Well, it's really not about paranoia. It's about accessing the admin from clients that don't send the referer for some reason. br /[17:35] photomat1 ringmaster: I don't think that's that many people br /[17:35] * Joins: indranil br /[17:35] ringmaster Anyone behind a restrictive proxy. Anyone with crappy old Norton Firewall configured oddly (like, half of them). br /[17:35] photomat1 there were vague references to mobile proxies and such br /[17:36] ringmaster Not that I disagree with the number you suggest, just that the current user experience for them is poor, and it seems kind of needless. br /[17:37] photomat1 what if we allowed the referrer to be blank? br /[17:38] ringmaster Then accessing through throse proxies would permit the attack that checking the referer tries to prevent. br /[17:38] skeltoac Graceful degradation br /[17:38] photomat1 but there's so few of those people it doesn't really matter br /[17:38] photomat1 relative to the # of people using wordpress, the amount the referrer thing comes up is pretty low br /[17:39] mdawaffe (hence the plugin suggestion) br /[17:39] skeltoac We could treat the most destructive actions slightly more aggressively, such as deleting posts. br /[17:39] * Joins: ian6 br /[17:39] stevecooley and changing the admin password? br /[17:40] skeltoac Other than deleting my posts, I don't care about AYS or ref checks. br /[17:40] ringmaster What do the Ajax deletions do now to prevent those cases? Just referer checks? br /[17:40] photomat1 we could put some sort of logging on to see how often the check_admin_referrer die gets triggered, and what is being sent when it does br /[17:40] photomat1 ringmaster: they have an embedded cookie check br /[17:40] mdawaffe stevecooley: changing passwords is already done with a POST. It's safer. br /[17:41] stevecooley ah, ok, thank you :) br /[17:41] ringmaster photomat1: Could this be employed to work with regular admin requests? br /[17:41] photomat1 if we required JS, yes br /[17:41] ringmaster Bah. br /[17:41] mdawaffe ringmaster: only with JS, and it's not as tight as check_admin_ref() br /[17:42] photomat1 the only reason it's done is because we have to turn c_a_r off on those br /[17:42] photomat1 because IE never sends a referral or something br /[17:42] mdawaffe because AJAX is magic, as I recall br /[17:42] photomat1 there be dragons here br /[17:43] skeltoac You know, we could replace ALL of our AJAX work with iframe-targed forms and probably wind up much happier. br /[17:43] skeltoac But that's a tangent. br /[17:43] photomat1 iframes do weird things to the IE throbber and mess up the back button br /[17:43] lightdifference iframes are so...2000. br /[17:44] skeltoac Damned back button. br /[17:44] mdawaffe iframes have a clear lack of named after a greek hero br /[17:44] skeltoac /tangent br /[17:45] photomat1 we have a couple of issues br /[17:45] photomat1 1. the referrer check doesn't work if they get something into the admin section br /[17:45] * Quits: gsnedders br /[17:45] RandyWalker You've never heard of Iframes, a mortal son of Zeus? He had the power to open doors to anywhere! br /[17:46] photomat1 2. when the check fails, it does so in a fairly abrupt way, and that could be improved even though it only affects a small number of users br /[17:46] photomat1 3. we should rip everything out and put in a new submission auth system br /[17:46] photomat1 there's also a 4 floating around br /[17:46] photomat1 which is like 3 but for every page load (re: gfmorris) br /[17:46] stevecooley RandyWalker++ ... i think I saw that guy in the matrix 3 br /[17:47] RandyWalker lol br /[17:48] stevecooley er, matrix 2... bad geek! br /[17:49] mdawaffe 1 seems simple: KSES and some extra filtration on comments and drafts OR convert a few key things to POST br /[17:51] mdawaffe 2 Can we offer a confirmation dialog on referer failure as many have suggested? Essentially build something out of the available globals? br /[17:52] photomat1 2 could be as simple as a non-die screen br /[17:52] mdawaffe 3: I say just add some actions for pluggability (but I still lean toward the POSTify the lot camp) br /[17:52] photomat1 something with a logo and more text br /[17:52] ringmaster Yeah, just replace the die() with something nicer that remains persistent. br /[17:55] mdawaffe And convert all check_admin_referer(); //do stuff to if ( check_admin_referer() ) { //do stuff } ? br /[17:55] photomat1 still a die, just a nicer one br /[17:56] * Quits: indranil br /[17:59] photomat1 the most productive suggestions are basically around making the experience better for those folks who don't send referrers br /[17:59] photomat1 if we can reach that goal without breaking compatibility, editing every form in WP, or compromising our current level of security br /[17:59] photomat1 then we've save ourselves a lot of time and complexity br /[18:00] photomat1 but I may be overestimating how complex ringmaster's or mark's implementations would be, haven't seen any code yet br /[18:01] ringmaster I think in any case, the review of the possibility of the change has been worthwhile for determining whether the next course of action is useful. br /[18:01] photomat1 true br /[18:04] * Joins: facet br /[18:07] photomat1 alrighty, let's wrap it up br /[18:07] photomat1 any more topics before we close? br /[18:07] skeltoac bbq br /[18:07] mumbles apart from the one i added br /[18:08] mumbles how about making error_bot announce when the meetup should be? br /[18:08] photomat1 that'd be cool, who runs it? br /[18:08] skeltoac io_error br /[18:08] TonySt io_error br /[18:08] mumbles ie a |meetup comand that would tell you how long till the next meetup br /[18:08] mumbles io-error i think br /[18:09] mumbles ill ask him the next time he comes online in #wordpress br /[18:10] photomat1 cool, sounds like a good idea br /[18:10] photomat1 arlighty br /[18:10] photomat1 alrighty even br /[18:10] photomat1 thanks everyone for coming out today br /[18:10] photomat1 see you all on the interwebs br /[18:10] photomat1 /meetup

Back to IRC Meetups