#wordpress 2019-03-02

2019-03-02 UTC
[grantcodes] joined the channel
#
boffosocko.com created /WordPress_ActivityPub_plugin (+1485) "stub, definition, development, examples, see also, categories, pagelogo" (view diff)
#
boffosocko.com edited /Template:WordPress (+56) "ActivityPub Plugin" (view diff)
[tantek], [jgmac1106], jackjamieson and [jackjamieson] joined the channel
#
GWG jackjamieson, before I forget, continuing to work on parsing issues
#
jackjamieson GWG Excellent, I've started mapping out next steps for Yarns, and I'm going to set aside some time for coding next week
#
GWG Keep me posted
#
GWG My latest aspect I'm working on is the WordPress post object
#
jackjamieson Do you mean parsing posts internally from WordPress?
#
GWG Not parsing, processing.
#
GWG There's a class built in called MF2 Post I built to do it.
#
GWG It needs to be fixed/improved
#
jackjamieson Ah, that's one of the parts of parse-this I haven't really looked at. Potentially useful if I revise the way Yarns stores feed items, which is not a priority but might be a good idea
#
jackjamieson GWG: Anyway, I should get going. I'll keep you posted on Yarns and will talk to you soon
[tantek], [jeremycherfas] and [pfefferle] joined the channel
#
[pfefferle] [chrisaldrich]++ thanks for creating the ActivityPub page!
#
Loqi [chrisaldrich] has 11 karma in this channel over the last year (48 in all channels)
[kevinmarks], [jgmac1106], [voss], [schmarty] and [tonz] joined the channel
#
[tonz] cc [aaronpk] I’ve been trying to get Ownyourswarm working. Checkins don’t get added to my WP site yet. Micropub and auth are working, judging by logfile and ownyourswarm itself. But check-ins don’t show up. What should I look for in my log files to see if ownyourswarm is attempting to post something?
sketchess joined the channel
#
[tonz] During the authorisation steps, I do, despite it being succesfull, I do see this error message in my log: [Sat Mar 02 13:42:42.408941 2019] [:error] [pid 3716275] [client 80.100.201.169:58808] [client 80.100.201.169] ModSecurity: Warning. Match of “beginsWith %{request_headers.host}” against “TX:1" required. [file “/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf”] [line “163"] [id “950120”] [rev “3"] [msg
#
[tonz] Attack: Off-Domain Reference/Link”] [data “Matched Data: https://ownyourswarm.p3k.io found within TX:1: ownyourswarm.p3k.io”] [severity “CRITICAL”] [ver “OWASP_CRS/2.2.9"] [maturity “9”] [accuracy “9"] [tag “OWASP_CRS/WEB_ATTACK/RFI”] [hostname “www.zylstra.org”] [uri “/blog/wp-json/indieauth/1.0/auth”] [unique_id “XHp6QhC-kRxGFMV8JU3KawAAAAY”], referer: https://ownyourswarm.p3k.io/auth/start?me=https%3A%2F
voxpelli, [Rose], [tantek], [jackjamieson] and [eddie] joined the channel
#
aaronpk [tonz]: weird I don't know what mod security is doing there
#
aaronpk you should see a request to your micropub endpoint in your access logs
#
aaronpk you can click "import now" in OYS to make it try right away
#
Loqi I agree
[schmarty], [voss] and [tonz] joined the channel
#
[tonz] [aaronpk] ok, using the import function of OYS to import a recent check-in, I see the requests to the endpotin in the access log , getting a 501 error. And the error log stating 1) missing user agent header 2) policy/encoding not allowed
#
[tonz] [Sat Mar 02 16:53:11.597135 2019] [:error] [pid 3754989] [client 173.230.155.197:45510] [client 173.230.155.197] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file “/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf”] [line “48"] [id “960009”] [msg “Request Missing a User Agent Header”] [severity “WARNING”] [tag “PROTOCOL_VIOLATION/MISSING_HEADER”] [hostname “www.zylstra.org“] [u
#
[tonz] 173.230.155.197 - - [02/Mar/2019:16:53:11 +0100] “POST /blog/wp-json/micropub/1.0/endpoint HTTP/1.1” 501 237 “-” “-”
#
[tonz] 173.230.155.197 - - [02/Mar/2019:16:53:11 +0100] “POST /blog/wp-json/micropub/1.0/endpoint HTTP/1.0" 501 226 “-” “-”
#
[tonz] [unique_id “XHqm59wTv2ZLgiO24vMCrQAAABA”]
#
[tonz] [Sat Mar 02 16:53:11.597208 2019] [:error] [pid 3754989] [client 173.230.155.197:45510] [client 173.230.155.197] ModSecurity: Access denied with code 501 (phase 2). Match of “rx (?:^(?:application\\\\/x-www-form-urlencoded(?:;(?:\\\\s?charset\\\\s?=\\\\s?[\\\\w\\\\d\\\\-]{1,18})?)??$|multipart/form-data;)|text/xml)” against “REQUEST_HEADERS:Content-Type” required. [file “/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf
#
[tonz] [msg “Request content type is not allowed by policy”] [severity “WARNING”] [tag “POLICY/ENCODING_NOT_ALLOWED”] [hostname “www.zylstra.org”] [uri “/blog/wp-json/micropub/1.0/endpoint”] [unique_id “XHqm59wTv2ZLgiO24vMCrQAAABA”]
#
[tonz] Will try with a ‘simple’ formatted check-in as well.
#
aaronpk Guess I should add a user agent header
#
aaronpk Sounds like it's rejecting the JSON post request tho. Can you change that rule in mod security?
#
[tonz] OYS now says account disable due to the repeated errors. Logical. Ok, will see if I can change mod sec rules, and retry with the import tool.
#
aaronpk Clicking the manual import should still work even in this state and IIRC it will kick you back to normal once a post successfully goes through.
#
[tonz] your error message says as much, so I assume that will be the case 🙂
#
[tonz] Posting as “simple” goes through and gets posted to WP
#
sknebel WAF--
#
Loqi WAF has -1 karma over the last year
#
[tonz] [aaronpk] is your OYS ip address fixed? (so I could whitelist it for mod sec
#
aaronpk heh it is for now but no promises
#
aaronpk can't you add a rule to allow JSON content type requests?
#
sknebel [tonz]: are you able to change the modsecurity rules? or are those set by your hosting somehow?
#
sknebel if you have access to them, you should have a modsecurity_crs_10_setup.conf file with a line about "setvar:'tx.allowed_request_content_type", there's a list of content types there to which you'd add "application/json"
#
aaronpk [tonz] I just made OwnYourSwarm include a user agent header so that should help
[jgmac1106] and [tonz] joined the channel
#
[tonz] [sknebel] thanks for that. mod sec is set by my hoster. so unless i can change something through htaccess I can’t change that.
#
[tonz] [aaronpk] thanks!
#
aaronpk sounds like you'll need to ask the host to allow JSON content-type requests
#
[tonz] yeah, I’ll shoot them a ticket.
[eddie], [kevinmarks], [tantek], [jgmac1106] and tw2113 joined the channel