From d7e3d069a1bb2f68ff0504e8eb7695a23997c6ab Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Tue, 4 Oct 2022 03:59:13 +0000 Subject: [PATCH] Security: Additional translations of salt default phrase. Translate the default salt value "put your unique phrase here" in additional locations in which it is used. This further ensures that the default phrase is considered an error in non-english translations of `wp-config.php`. Follow-up to [54249]. Props peterwilsoncc, audrasjb, JeffPaul. Fixes #55937. Built from https://develop.svn.wordpress.org/trunk@54379 git-svn-id: http://core.svn.wordpress.org/trunk@53938 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/maint/repair.php | 20 +++++++++++++++---- .../class-wp-recovery-mode-cookie-service.php | 16 +++++++++++++-- wp-includes/version.php | 2 +- 3 files changed, 31 insertions(+), 7 deletions(-) diff --git a/wp-admin/maint/repair.php b/wp-admin/maint/repair.php index 6c9e8fe82a..2399f766be 100644 --- a/wp-admin/maint/repair.php +++ b/wp-admin/maint/repair.php @@ -37,7 +37,17 @@ if ( ! defined( 'WP_ALLOW_REPAIR' ) || ! WP_ALLOW_REPAIR ) { ); echo "

define('WP_ALLOW_REPAIR', true);

"; - $default_key = __( 'put your unique phrase here' ); + $default_keys = array_unique( + array( + 'put your unique phrase here', + /* + * translators: This string should only be translated if wp-config-sample.php is localized. + * You can check the localized release package or + * https://i18n.svn.wordpress.org//branches//dist/wp-config-sample.php + */ + __( 'put your unique phrase here' ), + ) + ); $missing_key = false; $duplicated_keys = array(); @@ -51,9 +61,11 @@ if ( ! defined( 'WP_ALLOW_REPAIR' ) || ! WP_ALLOW_REPAIR ) { } } - // If at least one key uses the default value, consider it duplicated. - if ( isset( $duplicated_keys[ $default_key ] ) ) { - $duplicated_keys[ $default_key ] = true; + // If at least one key uses a default value, consider it duplicated. + foreach ( $default_keys as $default_key ) { + if ( isset( $duplicated_keys[ $default_key ] ) ) { + $duplicated_keys[ $default_key ] = true; + } } // Weed out all unique, non-default values. diff --git a/wp-includes/class-wp-recovery-mode-cookie-service.php b/wp-includes/class-wp-recovery-mode-cookie-service.php index 5d3be11f6e..a2ee34a723 100644 --- a/wp-includes/class-wp-recovery-mode-cookie-service.php +++ b/wp-includes/class-wp-recovery-mode-cookie-service.php @@ -198,7 +198,19 @@ final class WP_Recovery_Mode_Cookie_Service { * @return string|false The hashed $data, or false on failure. */ private function recovery_mode_hash( $data ) { - if ( ! defined( 'AUTH_KEY' ) || AUTH_KEY === __( 'put your unique phrase here' ) ) { + $default_keys = array_unique( + array( + 'put your unique phrase here', + /* + * translators: This string should only be translated if wp-config-sample.php is localized. + * You can check the localized release package or + * https://i18n.svn.wordpress.org//branches//dist/wp-config-sample.php + */ + __( 'put your unique phrase here' ), + ) + ); + + if ( ! defined( 'AUTH_KEY' ) || in_array( AUTH_KEY, $default_keys, true ) ) { $auth_key = get_site_option( 'recovery_mode_auth_key' ); if ( ! $auth_key ) { @@ -213,7 +225,7 @@ final class WP_Recovery_Mode_Cookie_Service { $auth_key = AUTH_KEY; } - if ( ! defined( 'AUTH_SALT' ) || AUTH_SALT === 'put your unique phrase here' || AUTH_SALT === $auth_key ) { + if ( ! defined( 'AUTH_SALT' ) || in_array( AUTH_SALT, $default_keys, true ) || AUTH_SALT === $auth_key ) { $auth_salt = get_site_option( 'recovery_mode_auth_salt' ); if ( ! $auth_salt ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 7711b36f24..8c33bffb0a 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.1-beta2-54378'; +$wp_version = '6.1-beta2-54379'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.