#wordpress 2019-05-27

2019-05-27 UTC
gRegorLove, [tantek], gRegorLove_, [tonz] and jeremych_ joined the channel
#
[tonz] Maybe one of you here has a suggestion of where to look for a diagnosis/answer: https://meso.tzyl.nl is a fresh WP install with IndieAuth / MicroPub / Yarns / Webmentions enabled. IndieAuth plugin reports “Authorization Header Found. You should be able to use all clients.” Yet when I try Monocle I get a 403 forbidden unauthorized. I had that before in my real blog, but then IndieAuth also reported issues, and I solved it with adding a r
#
[tonz] have PHP running as FastCGI, not as apache module) . This seems different, but no idea where to start looking for clues.
[jgmac1106] and [tonz] joined the channel
#
Zegnat [tonz]: can you still manually run the authorization header test somewhere? It used to have a special output section for your friendly indieweb developer
#
Zegnat Wonder if that can give us any pointers
#
[tonz] yes, except that friendly indieweb dev output now says everything’s fine. Except it isn’t.
#
[tonz] “Authorization Header Found. You should be able to use all clients.”
#
Zegnat Hmm
#
Zegnat That text doesn’t exist in my initial test code :P Which should have a “for your friendly neighbourhood developer” section. But I guess GWG changed things around
#
[tonz] yeah, I looked up the php file that generates that section, the friendly indieweb dev text is in there (as I remembered from IWC Nuremberg)
#
Zegnat I think you should be able to run authdiag.php completely standalone if the plugin gives you access to it. Which may be able to tell you more about your current setup
#
[tonz] ok. I’ll try that.
#
[tonz] authdiag.php doesn’t return results if run on its own.
#
[tonz] it shows the form, but submitting doesn’t seem to do anything
#
Zegnat That’s odd
#
GWG The plugin still has authdiag
#
GWG I just ran it
#
[tonz] @gwg, I know, the plugin reports all headers working, but using a micropub client returns 403 forbidden unauthorised, suggesting the headers don’t get passed.
#
GWG https://meso.tzyl.nl/wp-content/plugins/indieauth/authdiag.php
#
GWG Unauthorized could mean something else
#
[tonz] yes, when I fill in my url in that form nothing returns.
#
GWG You filled in the URL I just pasted?
#
[tonz] no. just https://meso.tzyl.nl
#
[tonz] ah the full url does give results
#
[tonz] says the redirect http auhtorisation is unavailable, the others come back green
#
[tonz] that is the same as on my blog where the headers are working. So the unauthorised should come from something else?
#
Zegnat Yep
#
GWG Exactly
[Rose] joined the channel
#
GWG Question is what.
#
GWG Did you check error logs?
#
[tonz] I just tried to login with Monocle, and get this entry in the error log:
#
[tonz] “/wp-content/plugins/indieauth/authdiag.php”] [unique_id “XOvVmfX61lNM2-f-di2tUAAAAAA”]
#
[tonz] [Mon May 27 14:18:33.673269 2019] [:error] [pid 1311067] [client 2001:1690:22:200::41:56480] [client 2001:1690:22:200::41] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file “/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf”] [line “48"] [id “960009”] [msg “Request Missing a User Agent Header”] [severity “WARNING”] [tag “PROTOCOL_VIOLATION/MISSING_HEADER”] [hostname “meso.tzyl.nl
[grantcodes] joined the channel
#
Zegnat doesn’t like modsecurity and its meaningless defaults
#
Zegnat Does that warning level severity lead to a block of some kind? That would be weird. Also not sure what modsecurity cares about the lack of User Agent header
#
GWG None of the requests I make lack one, I think
[frank], [grantcodes] and jackjamieson joined the channel
#
GWG Hi, jackjamieson
#
jackjamieson Hi GWG, how's it going?
#
GWG Have the day off for the holiday
cambridgeport90 joined the channel
#
jackjamieson Oh right, I forgot it's a holiday in the States
#
cambridgeport90 Has anyone else been experiencing the issue with the ActivityPub plugin where follow requests seem to need approval? I've got that issue right now, and haven't quite figured out how to fix it. I've seen that it's sort of one of those random things.
#
GWG jackjamieson, looking at your style problem and it is a potential issue when combined with the fatwigoo issue I just worked on
#
GWG So I have to be clever, I guess
#
jackjamieson GWG, what's the fatwigoo problem?
#
GWG What is fatwigoo?
#
Loqi Fatwigoo is an embedded SVG image that depends on (external) CSS for its width https://indieweb.org/Fatwigoo
#
GWG I put an inline style on my svgs
#
GWG But I can filter style from divs
#
jackjamieson Ah, interesting
#
GWG I think aaronpk is right, we need some recommendations for Microsub endpoints on stripping content parameters
#
GWG But this dovetails into something related, so I am working on both
#
GWG Content in feeds
#
GWG RSS and json and how I represent content
#
GWG So I can explore it all at the same time
#
jackjamieson Yeah, I'm not sure how to balance it. I can think of plenty of cases in which preserving style attributes is useful, and just as many where it can cause problems
#
GWG If you check the logs, I was asking manton about this for micro.blog yesterday
#
GWG In dev
#
GWG So need to think
#
cambridgeport90 I've seen some weird things with styles in feeds, too.
#
GWG So, minimize issues but can't eliminate
#
jackjamieson Yep, there's bound to be a compromise. Overall improving the sanitization isn't a top priority for me right now because I've got plenty of lower hanging fruit to take care of first
#
GWG I am doing it as part of a multi plugin effort
#
GWG To improve sanitization in feeds as well
#
jackjamieson GWG, I wonder if there are also cases where Yarns' needs diverge from those of Post Kinds (or other potential users of Parse-This). i.e. if Yarns should perform additional sanitization after Parse-This is done (or if Parse-This should have accept arguments to customize its sanitization). Do you think this is the case?
#
cambridgeport90 What sorts of plugins are you creating?
#
jackjamieson cambridgepost90, I'm working on a Microsub Server called Yarns. It uses a library called Parse-This, which GWG built. Parse-This originates from GWG's IndieWeb Post Kinds plugin, and he turned it into a library since my plugin has similar parsing needs
#
jackjamieson cambridgeport90, Oops, sorry I had a typo in your name in my last message
#
jackjamieson Sorry I can't be much help with your ActivityPub plugin question, I haven't used it yet (I keep meaning to check out ActivityPub more closely but get distracted by other things)
#
jackjamieson GWG, I'm going to disappear into a distraction-free writing bubble (hopefully for the rest of the day). I've got some time earmarked for development tomorrow - I think I'll see about improving search speed, so I'll let you know if I figure anything out that could be pulled back into Parse-This
[tonz], dougbeal|mb1 and cambridgeport90 joined the channel
#
cambridgeport90 I'm not creating anything as of yet, though my language goals right now are PHP and C#; want to see if I can add some Indieweb stuff to one of the C# blogging platforms. But until then, I'm using wordpress. The thing also that I'm having with activityPub is that posts are not getting visible. If you key into a mastodon/Pleroma/Friendica search field, cambridgeport90@cambridgeport90.net, you should find me, though not sure whether or
#
cambridgeport90 find any posts there.
#
cambridgeport90 I was wondering the reasons for parse-this.
#
GWG !tell jackjamieson Will continue to work on the problem
#
Loqi Ok, I'll tell them that when I see them next
[jgmac1106] joined the channel
#
[jgmac1106] Something always happened with my shared host that caused a timeout with Bridgy Fed or the OStatus WP plugins
[cleverdevil], [schmarty] and [frank] joined the channel
#
doubleloop cambridgeport90: have you posted any notes since you added the ActivityPub plugin?
#
doubleloop Only new posts will appear in your ActivityPub feed (I think)
[tantek], [eddie] and [tonz] joined the channel
#
[tonz] ok, looked a bit more at the error logs of my WP sandbox https://meso.tzyl.nl I tried to login from Quill. Quill reports successful autorisation, but gets no token it seems. The error log shows [Mon May 27 21:28:19.612420 2019] [:error] [pid 1427562] [client 173.230.155.197:41916] [client 173.230.155.197] ModSecurity: Warning. Match of “beginsWith %{request_headers.host}” against “TX:1" required. [file
#
[tonz] “/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.confâ€�] [line “163"] [id “950120â€�] [rev “3"] [msg “Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Linkâ€�] [data “Matched Data: https://quill.p3k.io/ found within TX:1: quill.p3k.io/“] [severity “CRITICALâ€�] [ver “OWASP_CRS/2.2.9"] [maturity “9â€�] [accuracy “9"] [tag “OWASP_CRS/WEB_ATTACK/RFIâ€�] [hostname “meso.tzyl.nlâ€�] [uri â€
#
[tonz] [Mon May 27 21:28:21.794309 2019] [:error] [pid 1461351] [client 173.230.155.197:41930] [client 173.230.155.197] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file “/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf”] [line “48"] [id “960009”] [msg “Request Missing a User Agent Header”] [severity “WARNING”] [tag “PROTOCOL_VIOLATION/MISSING_HEADER”] [hostname “meso.tzyl.nl”] [uri
#
[tonz] “XOw6U0Y2A5iVFP7H1eKPUwAAAAY”]
#
[tonz] “XOw6VW1lfobSLe3pJqbP0gAAAAE”]
#
[tonz] I remember that bit from earlier on my real blog, where I added SetEnvIfNoCase Remote_Addr ^173.230.155.197$ MODSEC_ENABLE=Off to htaccess to whitelist what I think is [aaronpk]’s ip address for Quill
#
aaronpk this is interesting: "Request Missing a User Agent Header"
#
aaronpk if you can disable mod security for that IP address that seems like a good solution
#
[tonz] that SetEnvIfNoCase addition to my htaccess doesn’t seem to do anything. I’ll go see if I had the hoster whitelist that IP instead.
#
[tonz] Nevertheless it wouldn’t help solve it generally
#
[tonz] Hmm, the ticket I submitted to my hoster had to do with getting JSON accepted as allowed content type for requests. Something different from this I think
voxpelli and [grantcodes] joined the channel
#
GWG I wonder where there isn't a user agent though
#
aaronpk that's probably quill not sending a user agent. tho it appears to be just a warning so probably isn't the cause
#
GWG Is it just Quill?
#
GWG [tonz]: Did you try another client?
#
GWG You think it is the possible RFI attack?
#
GWG https://stackoverflow.com/questions/32819240/updating-apache-mod-security-core-rule-owasp-rule-950120-to-allow-urls-in-one-sp
[Rose], [manton], gRegorLove_ and [tantek] joined the channel