Issues.joomla.org
See the entry there
No entry for joomla/joomla-cms#11760
I'm getting really tired of ModSec...
Odds are the old server didn't have ModSec on it.
Ok. Hmm but there should be a way to consume github hooks in a secure way do we have a way to contact github?
It's not GitHub, it's Rochen.
I mean ask github to get a secure configuration of mod security they have maybe some expirience in that? Or Rochen ask github howto configure it secure?
Can we do something like
https://developer.github.com/webhooks/securing/
Supposedly Rochen whitelisted GitHub stuff based on the data I gave them. Apparently that's not happening.
The problem is our issues commonly have SQL scripts, JavaScript snippets, and HTML inlined into them. Which triggers the rules long before our application runs.
And that page is only good for application level security measures. It does nothing to address the web server stripping stuff.
Hmm thanks for checking
Hmm loks like that the cron synced it.. So we need to add our logic to the crons too? Like pending and labels?
So #692 needs to be synced, tested, and merged is what you're saying.
And the cron works fine because it initiates a request to GitHub's API and pulls the data as a response whereas the webhooks send the request to our server. ModSecurity only filters incoming HTTP traffic, unless someone REALLY screwed up a configuration it shouldn't filter data from a curl request inside a PHP app.
i don't have admin rights on github repos. But also resending that would fail, correct?
Correct.
Per Rochen:
Apache was rebuilt on the following the whitelisting I did previously; I've reapplied the changes now
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-08-23 14:47:44 |
Closed_By | ⇒ | mbabker |
Looks like we have a general bot issue?
https://issues.joomla.org/tracker/joomla-cms/11694
Misses the last comments from
joomla/joomla-cms#11694 (comment)