Saturday, September 12, 2015

Did I Screw Up Mozilla India Blog's Security?

With great power comes great responsibility. The headline was clickbait. I probably haven't screwed up anything. I was granted temporary admin access to Mozilla India blog because I kept pestering the existing admins with bug-fix demands. This post is the story of how I went ahead to fix my first bug; opening myself to scrutiny, for the security of everyone.

working on daddy's computer by C Jill Reed, on Flickr
Creative Commons Creative Commons Attribution-Share Alike 2.0 Generic License   by  C Jill Reed

Immediately after Deb said he's giving me admin access what I did was reset my password on the blog's Wordpress account. I let wordpress generate a secure password for me instead of choosing any myself.

The next task was storing this password somewhere so that I don't have to reset it the next time I wanted to login. There were two options in front of me. The first one was to store it in firefox's own password manager. But, if I do so, to be absolutely sure nobody else accesses it if I leave my laptop unlocked, I've to set up a master password. Setting up master password will make it less convenient for me because it'll affect my normal browsing (requiring the password in every session for other websites, while I need it only for which I'd be visiting only seldom).

Therefore I decided to save the password encrypted in my file system. Although ArchWiki lists many methods for disk encryption, I used a GPG based encryption. Using the vim-gnupg plugin I transparently saved the password to the filesystem, encrypting and decrypting on the fly.

Now that I could login safely, I proceeded to look at the bug I wanted fixed - to replace blank og:image. Jafar had included the diagnosis of the problem in the bug report itself. Jetpack linked to a blank image as og:image if it didn't find any suitable image on the page.

I ducked for solutions and landed on Jetpack's own blog with the code snippet that would solve the issue. I was confused for a while because the post just had a function definition and didn't tell me how to add it to the blog. Ducking again, I discovered that the common way for adding extra functions is to add it to functions.php file inside the theme. This was slightly counter-intuitive for me because I was under the impression that themes were all about the style/layout. But, as it turns out, themes have a very critical role in the functioning of a wordpress website. And as a welcome side effect, it's possible to edit the functions.php file from the theme editor directly from the admin dashboard, thus eliminating the need to ssh into the hosting provider.

Although now I knew what to do, I wasn't sure that I'd be able to get the code running in one try. And I didn't want a single minute of downtime on the blog. Therefore I decided to recreate the blog locally on my computer. I downloaded wordpress and set up mysql, apache, etc., installed the exact plugins and theme as Mozilla India blog such that I could test the changes I was about to make on my computer before working on the live blog.

On my local installation, I added the extra functions to functions.php with comments explaining why those were needed and it worked in the first attempt itself. I then created a few posts with and without images to make sure everything was working as expected. Once verified, I made the same modifications on the live website and marked the bug resolved fixed. Voilah! It was one small bug for a sysadmin, but one giant leap for me.

NB: We are always looking for more contributors in Mozilla. If you're interested in participating in interesting (web, or otherwise) projects and want to have lots of fun while learning cool stuff, ping me.

Get posts via email:

One more time, subscribe via email: