Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve security key handling in pluggable.php #6597

Closed
wants to merge 2 commits into from
Closed

Improve security key handling in pluggable.php #6597

wants to merge 2 commits into from

Conversation

spacedmonkey
Copy link
Member

Requires #61053.

Use wp_prime_site_option_caches to prime option / network option caches if not defined as const.

Trac ticket: https://core.trac.wordpress.org/ticket/59871
@spacedmonkey
Improve security key handling in pluggable.php
f588a8e 
This commit adds functionality to recognize undefined keys and salts in wp-includes/pluggable.php and to prime site options with them. This strengthens the security by addressing key and salt duplicates and ensuring unique identifiers for each.
@github-actions GitHub Actions
Copy link

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props spacedmonkey.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.
@spacedmonkey spacedmonkey mentioned this pull request May 21, 2024
Closed
@spacedmonkey spacedmonkey reopened this May 21, 2024
@github-actions GitHub Actions
Copy link

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.
peterwilsoncc
peterwilsoncc reviewed May 22, 2024
View reviewed changes
Copy link
Contributor

@peterwilsoncc peterwilsoncc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of notes, the main issue is that it doesn't prime the options if the constant is defined with put your unique phrase here or the translated version.

Screen Shot 2024-05-22 at 12 03 39 pm
src/wp-includes/pluggable.php

foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) {
foreach ( array( 'KEY', 'SALT' ) as $second ) {
if ( ! defined( "{$first}_{$second}" ) ) {
if ( 'SECRET' !== $first ) {
$option_prime[] = strtolower( "{$first}_{$second}" );
}
continue;
}
$value = constant( "{$first}_{$second}" );
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This accounts for duplicate values and constants defined with the value from the sample config file, ie define( 'thing', 'put your unique phrase here' ).

Suggested change
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] );
if ( true === $duplicated_keys[ $value ] ) {
$option_prime[] = strtolower( "{$first}_{$second}" );
}
src/wp-includes/pluggable.php
@@ -2448,16 +2448,23 @@ function wp_salt( $scheme = 'auth' ) {
* https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
*/
$duplicated_keys[ __( 'put your unique phrase here' ) ] = true;
$option_prime = array();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would be clearer with a rename.

🔢 Applies throughout, including the suggested change I've made.

Suggested change
$option_prime = array();
$options_to_prime = array();
@spacedmonkey
Copy link
Member Author

Closing in favour of #6720
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@spacedmonkey @peterwilsoncc