WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Privacy: Use SHA-256 hashing algorithm for Gravatar. 

This aims to improve privacy by switching to a more secure algorithm, as an MD5 string can be reversed.

Follow-up to [6748], [31107].

Props henry.wright, jucaduca, haozi, desrosj, dd32, SergeyBiryukov.
See #60638.
Built from https://develop.svn.wordpress.org/trunk@59532


git-svn-id: http://core.svn.wordpress.org/trunk@58918 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2024-12-17 23:58:26 +00:00
parent 469695a82b
commit d427228024
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
wp-includes/link-template.php
View File

@ -4289,7 +4289,7 @@ function the_shortlink( $text = '', $title = '', $before = '', $after = '' ) {
* *
* @since 4.2.0 * @since 4.2.0
* *
* @param mixed $id_or_email The avatar to retrieve a URL for. Accepts a user ID, Gravatar MD5 hash, * @param mixed $id_or_email The avatar to retrieve a URL for. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object. * user email, WP_User object, WP_Post object, or WP_Comment object.
* @param array $args { * @param array $args {
* Optional. Arguments to use instead of the default arguments. * Optional. Arguments to use instead of the default arguments.
@ -4353,8 +4353,9 @@ function is_avatar_comment_type( $comment_type ) {
* *
* @since 4.2.0 * @since 4.2.0
* @since 6.7.0 Gravatar URLs always use HTTPS. * @since 6.7.0 Gravatar URLs always use HTTPS.
* @since 6.8.0 Gravatar URLs use the SHA-256 hashing algorithm.
* *
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash, * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object. * user email, WP_User object, WP_Post object, or WP_Comment object.
* @param array $args { * @param array $args {
* Optional. Arguments to use instead of the default arguments. * Optional. Arguments to use instead of the default arguments.
@ -4474,7 +4475,7 @@ function get_avatar_data( $id_or_email, $args = null ) {
* @since 4.2.0 * @since 4.2.0
* *
* @param array $args Arguments passed to get_avatar_data(), after processing. * @param array $args Arguments passed to get_avatar_data(), after processing.
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash, * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object. * user email, WP_User object, WP_Post object, or WP_Comment object.
*/ */
$args = apply_filters( 'pre_get_avatar_data', $args, $id_or_email ); $args = apply_filters( 'pre_get_avatar_data', $args, $id_or_email );
@ -4496,7 +4497,10 @@ function get_avatar_data( $id_or_email, $args = null ) {
if ( is_numeric( $id_or_email ) ) { if ( is_numeric( $id_or_email ) ) {
$user = get_user_by( 'id', absint( $id_or_email ) ); $user = get_user_by( 'id', absint( $id_or_email ) );
} elseif ( is_string( $id_or_email ) ) { } elseif ( is_string( $id_or_email ) ) {
if ( str_contains( $id_or_email, '@md5.gravatar.com' ) ) { if ( str_contains( $id_or_email, '@sha256.gravatar.com' ) ) {
// SHA-256 hash.
list( $email_hash ) = explode( '@', $id_or_email );
} else if ( str_contains( $id_or_email, '@md5.gravatar.com' ) ) {
// MD5 hash. // MD5 hash.
list( $email_hash ) = explode( '@', $id_or_email ); list( $email_hash ) = explode( '@', $id_or_email );
} else { } else {
@ -4530,7 +4534,7 @@ function get_avatar_data( $id_or_email, $args = null ) {
} }
if ( $email ) { if ( $email ) {
$email_hash = md5( strtolower( trim( $email ) ) ); $email_hash = hash( 'sha256', strtolower( trim( $email ) ) );
} }
} }
@ -4564,7 +4568,7 @@ function get_avatar_data( $id_or_email, $args = null ) {
* @since 4.2.0 * @since 4.2.0
* *
* @param string $url The URL of the avatar. * @param string $url The URL of the avatar.
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash, * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object. * user email, WP_User object, WP_Post object, or WP_Comment object.
* @param array $args Arguments passed to get_avatar_data(), after processing. * @param array $args Arguments passed to get_avatar_data(), after processing.
*/ */
@ -4576,7 +4580,7 @@ function get_avatar_data( $id_or_email, $args = null ) {
* @since 4.2.0 * @since 4.2.0
* *
* @param array $args Arguments passed to get_avatar_data(), after processing. * @param array $args Arguments passed to get_avatar_data(), after processing.
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash, * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object. * user email, WP_User object, WP_Post object, or WP_Comment object.
*/ */
return apply_filters( 'get_avatar_data', $args, $id_or_email ); return apply_filters( 'get_avatar_data', $args, $id_or_email );

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.8-alpha-59531'; $wp_version = '6.8-alpha-59532';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.