[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] Wordpress plugins was Re: DCGLUG Website glitch

To: list@xxxxxxxxxxxxx
Subject: [LUG] Wordpress plugins was Re: DCGLUG Website glitch
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Sat, 06 Feb 2021 19:57:14 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1602234361; h=Sender:Content-Transfer-Encoding: Content-Type:Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe: List-Id:Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From: Cc:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Owner:List-Archive; bh=3KmB3vFYWR0NDENwRp+dGNhXC0CAQo4Y6lL5tyEtzSY=; b=nsmJgVwE3LRBSNKSOzreqseYuR Mmo/1DThWnAHuZuWCZH6jNCdywEheaHG9FGEoNxravbx0mhr9z2b2Vais4e1ggaGnv86D7OmMJDZU JOdkNtzJHZYjjCm6LCevC5n3xNskUcynSCpuEi7YwJxp8mpVHPwf4iUehHbEJQPRACAg=;

On Saturday, 6 February 2021 14:10:53 GMT Simon Avery wrote:
> 
> And good luck with your request. I like Wordpress a lot, but its very
> design means that any plugin that is broken can stop Wordpress in its
> tracks.  Devs are very aware of this but have never been able to protect
> Wordpress core from its plugins. They're both Wordpress's biggest strength,
> and its biggest weakness.

In this instance the PHP files in the plugin didn't pass the PHP parser due to 
use of short tags for PHP, I suggested PHP's "syntax-checking" option could be 
a SVN checking hook for ".php" files, since they use Subversion for release 
management of plugins, but the Plugin lead didn't seem keen. Since that would 
at least ensure that PHP files can be parsed without error.

I was pleasantly surprised that the WordPress instance emailed me to tell me 
it was broken, but I didn't find that email that till after I'd picked up the 
down monitoring alert and fixed it, and it feels like release checks are far 
too weak.

I fear WordPress plugins should be treated a bit like browser extensions, they 
are useful, but you have to trust the authors, so use them sparingly and with 
focused purpose.

There are some basic issue with WordPress which can't readily be fixed. The 
lack of content security policy is a nagging one for me, as I do a very basic 
security plugin and people want it to do CSP, but CSP really requires every 
Plugin author to declare what resources they use. I can hack a CSP in place 
but it will be either too broad to be useful or fragile and break stuff.

I'm not sure an architecture that protects you from rogue plugins is 
desirable, as I suspect it could be too unwieldy for plugin authors or make 
plugins less useful. 

However a plugin that declares some sort of contract including CSP resources, 
would at least make it practical to enforce further controls. Such a contract 
would include; endpoints, resources, possibly more on the URLs.  The idea you 
can exploit any upload vulnerability to dump a file randomly in a plugin 
directory and it just works seems very naughties (as in 2000-2009). WordPress 
is constrained by the expected environments, but it is feeling very dated in 
terms of web security features.

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dcglug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Wordpress plugins was Re: DCGLUG Website glitch
- From: Simon Avery

References:
- [LUG] DCGLUG Website glitch
  - From: Simon Waters
- Re: [LUG] DCGLUG Website glitch
  - From: Simon Avery

Prev by Date: Re: [LUG] DCGLUG Website glitch
Next by Date: [LUG] Plex DDos
Previous by thread: Re: [LUG] DCGLUG Website glitch
Next by thread: Re: [LUG] Wordpress plugins was Re: DCGLUG Website glitch
Index(es):
- Date
- Thread