-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve security key handling in pluggable.php #6597
Conversation
This commit adds functionality to recognize undefined keys and salts in wp-includes/pluggable.php and to prime site options with them. This strengthens the security by addressing key and salt duplicates and ensuring unique identifiers for each.
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN:
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) { | ||
foreach ( array( 'KEY', 'SALT' ) as $second ) { | ||
if ( ! defined( "{$first}_{$second}" ) ) { | ||
if ( 'SECRET' !== $first ) { | ||
$option_prime[] = strtolower( "{$first}_{$second}" ); | ||
} | ||
continue; | ||
} | ||
$value = constant( "{$first}_{$second}" ); | ||
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This accounts for duplicate values and constants defined with the value from the sample config file, ie define( 'thing', 'put your unique phrase here' )
.
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] ); | |
$duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] ); | |
if ( true === $duplicated_keys[ $value ] ) { | |
$option_prime[] = strtolower( "{$first}_{$second}" ); | |
} |
@@ -2448,16 +2448,23 @@ function wp_salt( $scheme = 'auth' ) { | |||
* https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php | |||
*/ | |||
$duplicated_keys[ __( 'put your unique phrase here' ) ] = true; | |||
$option_prime = array(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would be clearer with a rename.
🔢 Applies throughout, including the suggested change I've made.
$option_prime = array(); | |
$options_to_prime = array(); |
Closing in favour of #6720 |
Requires #61053.
Use
wp_prime_site_option_caches
to prime option / network option caches if not defined as const.Trac ticket: https://core.trac.wordpress.org/ticket/59871