Maintenance: updating deps, icon chooser, and accommodating security policies #218
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…whitespace in GQL query
This reverts commit 3fe029a.
- add a service that uses php4.7 - change the wp 4.7 service to just use the standard wpdb
…ing the welcome guide
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are a few key things going on here:
Overhaul the admin JavaScript bundle
@wordpress/scriptsfor building the bundleAccommodating the OWASP core rule set used by
mod_securityAn all too common problem encountered by users has been that their WordPress servers reject requests sent by the browser from our React code due to some security policy.
Turns out, the default OWASP core ruleset, which is probably what is often used for a "Web Application Firewall" via mod_security, has a couple of rules that are probably responsible for this:
Rejecting requests that use the
PUTmethodThere have been several requests in this plugin that use
PUT. We've used that in part because the WordPress Plugin Developer Handbook for the REST API specifically recommends it:Perhaps some WordPress-specific installations of the OWASP ruleset are customized to allow the
PUTmethod at least on the/wp/*core routes. Even if so, they may not allowPUTrequests for this plugin's routes.In some cases, users have been able to get system administrators to add exclusions to allow these requests. But given how deeply baked in these rulesets are and how difficult it can be to diagnose the problem, and have the Web Application Firewall rules adjusted, it seems better to just change from
PUTtoPOST.On a quick check of WordPress 6.5.4, using the block editor to update an existing page still uses a
POSTrequest, even though that seems like an obvious case of updating a resource. So it may be that WordPress itself does not even follow its own recommendation in this regard.Rejecting requests that lack a
Content-TypeheaderThe query handler for the icon chooser, while it has always used
POST, has not added aContent-Typeheader. Since the default istext/plain, and thePOSTbody has, in fact, been a plain text GraphQL query document, this seems Not Wrong. But it's also reasonable that the OWASP rules are strict about this. So this has been changed to useContent-Type: application/json, which is acceptable to OWASP.Update the Icon Chooser
The icon chooser has been updated to dynamically populate the families and styles of icons available in the active version of Font Awesome. So, going forward, as new familyStyles are released, there'll be no need to update the icon chooser or plugin in order for those new familyStyles to become available in the icon chooser.
Closes #217