diff --git a/wp-admin/setup-config.php b/wp-admin/setup-config.php index fd8d32b2a6..befa6937ed 100644 --- a/wp-admin/setup-config.php +++ b/wp-admin/setup-config.php @@ -276,21 +276,34 @@ switch($step) { if ( ! empty( $wpdb->error ) ) wp_die( $wpdb->error->get_error_message() . $tryagain_link ); - // Fetch or generate keys and salts. - $no_api = isset( $_POST['noapi'] ); - if ( ! $no_api ) { - $secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' ); - } - - if ( $no_api || is_wp_error( $secret_keys ) ) { - $secret_keys = array(); + // Generate keys and salts using secure CSPRNG; fallback to API if enabled; further fallback to original wp_generate_password(). + try { + $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|'; + $max = strlen($chars) - 1; for ( $i = 0; $i < 8; $i++ ) { - $secret_keys[] = wp_generate_password( 64, true, true ); + $key = ''; + for ( $j = 0; $j < 64; $j++ ) { + $key .= substr( $chars, random_int( 0, $max ), 1 ); + } + $secret_keys[] = $key; } - } else { - $secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) ); - foreach ( $secret_keys as $k => $v ) { - $secret_keys[$k] = substr( $v, 28, 64 ); + } catch ( Exception $ex ) { + $no_api = isset( $_POST['noapi'] ); + + if ( ! $no_api ) { + $secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' ); + } + + if ( $no_api || is_wp_error( $secret_keys ) ) { + $secret_keys = array(); + for ( $i = 0; $i < 8; $i++ ) { + $secret_keys[] = wp_generate_password( 64, true, true ); + } + } else { + $secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) ); + foreach ( $secret_keys as $k => $v ) { + $secret_keys[$k] = substr( $v, 28, 64 ); + } } } diff --git a/wp-includes/version.php b/wp-includes/version.php index 8abd2d8477..75376779a5 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.5-beta2-36871'; +$wp_version = '4.5-beta2-36872'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.