How secure is your WordPress installation?

 blog  Comments Off on How secure is your WordPress installation?
Oct 242020
 

I have been using WordPress for this blog for several years and always thought my setup was reasonably secure. Turns out that there is something called the WordPress REST API which allows to get quite a lot information about the installation without any security at all. E.g. https://blog.dummzeuch.de/wp-json/wp/v2/users used to show a list of all my registered users (all three of them: me, myself and I). But that’s only by coincidence because I have disabled comments. There are similar lists for all articles, all pages and – most worrying – all media contents. So, if I had ever used the upload feature of my blog to share a file with somebody else, it would have been possible for anybody who knew about this REST API to find the file name and access that file.

I read about this security or at least privacy hole in the current issue of the German c’t magazine (I am subscribed to the dead tree edition). And today I plugged it. For this particular problem, there is a simple fix: Install the Disable WP REST API plugin. It changes the API to only work when a user is logged in. Others get the error:

{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

In case you are worried: The WordPress Android App still works even if that plugin is installed.

And since I am always curious I tried some other blogs and found quite a few for which this API was open.

I also changed the WordPress login page to require basic authentication as described here (in German). Yes, that means two logins are required now, but that’s not much of an inconvenience since I am the only user.

If you want to discuss this article, go to the related post in the international DelphiPraxis forum.

 Posted by on 2020-10-24 at 18:27

GExperts 1.3.17 experimental twm 2020-10-23 released

 Delphi, GExperts  Comments Off on GExperts 1.3.17 experimental twm 2020-10-23 released
Oct 232020
 

Guess what? The new GExperts release is here.

There are lots of bug fixes and a few new features in the new version.

The major new feature is the Filter Exceptions expert. Please be warned that there was a bug when developing for non-Windows targets. It might have been fixed, but I can’t test it and nobody else bothered to volunteer to test it. So there you go: Now you will be a tester, if you like it or not. If you encounter this problem, please file a bug report!

There is also a small improvement in PE Information tool (I won’t call it an expert any more because it’s now a stand alone executable that GExperts only calls.)

Also, the installer is now based on InnoSetup 5.6.1 which was the last version compatible with Windows XP. So, installing GExperts on Windows XP (VMs) should work again.

I hope this time the installers won’t be wrongly detected as malware by virus scanners. Sorry about that.

Please note that GExperts for Delphi 10.4 requires Update 1!

The new version is available for download on the GExperts download page.

If you want to discuss this article, you can do so in the corresponding post in the international Delphi Praxis forum.

 Posted by on 2020-10-23 at 18:07

Contributing to projects on GitHub with Subversion

 git, GitHub, TortoiseSVN  Comments Off on Contributing to projects on GitHub with Subversion
Oct 012020
 

Many open source projects have moved from the former top dog SlashdotSourceForge to GitHub and in the process usually converted from Subversion to git. This also includes quite a few Delphi libraries like project Jedi (JCL/JVCL), SynEdit or Indy.

I am not really comfortable with git, it just feels too complex for most projects and the GUI tools I have tried are clunky compared to TortoiseSVN. I see some advantages, but so far I’m not convinced. So, I have stayed with SVN and used that to access GitHub repositories through their git-svn bridge. This works fine, most of the time, unless you want to rename a file, which apparently is not possible for whatever reason.

Now, contributing to such projects is another challenge. You need to create something called “pull requests“, which basically is a way of creating patches that are centrally managed by GitHub together with a discussion area for them. It took me a while to get my head around the process but I think I got it now. So here are the steps:

  1. Get a GitHub account. There is no way around that.
  2. Fork the repository of the project to which you want to contribute.
  3. Create a branch in that forked repository. You need a separate branch for each pull request you want to create! (That was the main stumbling block for me, I just didn’t realize this. It’s probably documented somewhere but I overlooked it.)
  4. Check out that branch.
  5. Make your changes in that branch
  6. Commit those changes and push them to GitHub
  7. On GitHub, create a pull request

There are many sites that give you these steps sometimes with examples on how to do them, but always using git. Here is, how to do it without a git client, but using svn + the aforementioned git-svn bridge.

GitHub shows a url for each repository that can be accessed via git or svn. It looks like this:

https://github.com/[account]/[project].git

Remember that this url contains the the whole repository, so in order to check out only the trunk (master branch) or a branch, you need to add /trunk or /branches/[branchname] to it.

Creating a branch can be done either with svn in the usual way or with the web UI on GitHub. I prefer the latter which is done by typing a non-existing name for a branch and pressing enter.

For the following steps lets assume we created a branch called “pullrequesttest”.

Using the svn client of your choice (mine is TortoiseSVN), check out the sources of the branch we just created. The url would be:

https://github.com/[account]/[project].git/branches/pullrequesttest

Just make your changes and commit them the usual way. Subversion does not distinguish between a commit and a push to the server as git does.

The branch now contains the changes you want to submit to the project.

On GitHub, select that branch and you will see a message about your changes an a button “Compare & pull request”.

Click that button, add a comment and submit the pull request. It should show up on the original project’s page. Somebody with the rights to it can now approve and merge these changes. They can also be discussed there. Maybe some further improvements are necessary to get them accepted. For that you simply make changes to the code you have checked out and commit them to the same branch. They will automatically become part of the pull request (Remember that I said you need a separate branch for each pull request? That’s why.).

Now suppose there are other, unrelated changes you would like to submit? Start with creating a new branch, based on master, check out the code, make the changes commit them and create a new pull request for the new branch.

Just remember to never make any changes to the trunk (=master branch). That one is meant to have the same content as the original repository and the base for each branch to be used for a pull request.

I’m sure this description is more complicated that it needs to be. My main idea in writing this article is to get a starting point for creating pull requests without having to use git. If you can think of improvements, please discuss them in Delphi Praxis. Note that this is not meant to become a discussion about the merits of git vs. Subversion. We don’t need another one of these.

 Posted by on 2020-10-01 at 11:48