Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect: no empty headers #14859

Merged
merged 2 commits into from
Mar 5, 2020
Merged

Protect: no empty headers #14859

merged 2 commits into from
Mar 5, 2020

Conversation

roccotripaldi
Copy link
Member

@roccotripaldi roccotripaldi commented Mar 3, 2020
edited
Loading

Fixes an issue where sending empty IP-related headers can result in false positives for a misconfigured server.

Changes proposed in this Pull Request:

  • There are some IP related headers that Protect gives priority, example GD_PHP_HANDLER
  • In some cases, this header exists, but it's empty
  • When Protect tries to use an empty trusted header, it results in the module shutting off because of a perceived misconfiguration
  • This PR aims to mitigate false positives by not sending empty headers

Is this a new feature or does it add/remove features to an existing part of Jetpack?

  • Issue is discussed more here: p9dueE-1fl-p2

Testing instructions:

  • Try spinning up a new Jurassic.ninja website
  • in wp-config.php set $_SERVER['GD_PHP_HANDLER'] = '' ( an empty string )
  • ensure that a trusted header is not set to GD_PHP_HANDLER
  • try setting $_SERVER['GD_PHP_HANDLER'] = '1.1.1.1'
  • ensure that a trusted header is set to GD_PHP_HANDLER

Proposed changelog entry for your changes:

  • None

@roccotripaldi
Protect
6c858fe 
We should never send an empty header to the Protect server.
It can result in false positives for misconfigured servers.
@roccotripaldi roccotripaldi added [Type] Bug When a feature is broken and / or not performing as intended [Feature] Protect Also known as Brute Force Attack Protection [Status] Needs Review To request a review from Crew. Label will be renamed soon. [Status] Needs Testing We need to add this change to the testing call for this month's release labels Mar 3, 2020
@roccotripaldi roccotripaldi added this to the 8.4 milestone Mar 3, 2020
@roccotripaldi roccotripaldi requested a review from a team as a code owner March 3, 2020 01:29
@jetpackbot
Copy link

jetpackbot commented Mar 3, 2020
edited
Loading

Thank you for the great PR description!

When this PR is ready for review, please apply the [Status] Needs Review label. If you are an a11n, please have someone from your team review the code if possible. The Jetpack team will also review this PR and merge it to be included in the next Jetpack release.

Scheduled Jetpack release: April 7, 2020.
Scheduled code freeze: March 31, 2020

Generated by 🚫 dangerJS against 71dae42

@htdat
Copy link
Member

htdat commented Mar 4, 2020
edited
Loading

I tested on a Jurassic.ninja site and confirm the testing instruction above works and confirm it fixes the issue mentioned in 4372-gh-jpop-issues.

jeherve
jeherve requested changes Mar 4, 2020
View reviewed changes
modules/protect.php Outdated Show resolved Hide resolved
@jeherve jeherve added [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! and removed [Status] Needs Review To request a review from Crew. Label will be renamed soon. labels Mar 4, 2020
@roccotripaldi @jeherve
Update modules/protect.php
71dae42 
Co-Authored-By: Jeremy Herve <[email protected]>
jeherve
jeherve approved these changes Mar 5, 2020
View reviewed changes
Copy link
Member

@jeherve jeherve left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jeherve jeherve added [Status] Ready to Merge Go ahead, you can push that green button! and removed [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! [Status] Needs Testing We need to add this change to the testing call for this month's release labels Mar 5, 2020
@roccotripaldi roccotripaldi merged commit 7968380 into master Mar 5, 2020
@roccotripaldi roccotripaldi deleted the fix/protect-empty-trusted-header branch March 5, 2020 20:58
@matticbot matticbot added [Status] Needs Changelog and removed [Status] Ready to Merge Go ahead, you can push that green button! labels Mar 5, 2020
jeherve added a commit that referenced this pull request Mar 20, 2020
@jeherve
Changelog: add #14859
0ef8fa3
jeherve added a commit that referenced this pull request Mar 31, 2020
@jeherve
8.4 Changelog (#15075)
0eb0b35 
* Initial changelog entry

* Changelog: add #14904

* Changelog: add #14910

* Changelog: add #14913

* Changelog: add #14916

* Changelog: add #14922

* Changelog: add #14924

* Changelog: add #14925

* Changelog: add #14928

* Changelog: add #14840

* Changelog: add #14841

* Changelog: add #14842

* Changelog: add #14826

* Changelog: add #14835

* Changelog: add #14859

* Changelog: add #14884

* Changelog: add #14888

* Changelog: add #14817

* Changelog: add #14814

* Changelog: add #14819

* Changelog;: add #14797

* Changelog: add #14798

* Changelog: add #14802

* Changelog: add #13676

* Changelog: add #13744

* Changelog: add #13777

* Changelog: add #14446

* Changelog: add #14739

* Changelog: add #14770

* Changelog: add #14784

* Changelog: add #14897

* Changelog: add #14898

* Changelog: add #14968

* Changelog: add #14985

* Changelog: add #15044

* Changelog: add #15052

* Update to remove Podcast since it remains in Beta

* Changelog: add #14803

* Changelog: add #15028

* Changelog: add #15065

* Changelog:add #14886

* Changelog: add #15118

* Changelog: add #14990

* Changelog: add #14528

* Changelog: add #15120

* Changelog: add #15126

* Changelog: add #15049

* Chanegelog: add #14852

* Changelog: add #15090

* Changelog: add #15138

* Changelog: add #15124

* Changelog:add #15055

* Changelog: add #15017

* Changelog: add #15109

* Changelog: add #15145

* Changelog:add #15096

* Changelog:add #15153

* Changelog: add #15133

* Changelog: add #14960

* Changelog: add #15127

* Changelog: add #15056

* Copy current changelog to changelog archive.

* Clarify changelog description
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeherve jeherve jeherve approved these changes

Assignees

@roccotripaldi roccotripaldi

Labels
[Feature] Protect Also known as Brute Force Attack Protection [Type] Bug When a feature is broken and / or not performing as intended
Projects
None yet
Milestone
8.4
Development

Successfully merging this pull request may close these issues.
5 participants
@roccotripaldi @jetpackbot @htdat @jeherve @matticbot