Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Salting functions: translate the phrase put your unique phrase here. #2793

Closed
wants to merge 4 commits into from
Closed

Salting functions: translate the phrase put your unique phrase here. #2793

wants to merge 4 commits into from

Conversation

whaze
Copy link

@whaze whaze commented Jun 7, 2022

Trac ticket: https://core.trac.wordpress.org/ticket/55937

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

@whaze @peterwilsoncc
Update src/wp-includes/pluggable.php
be1e6f9 
thx Peter

Co-authored-by: Peter Wilson <519727+peterwilsoncc@users.noreply.github.com>
costdev
costdev approved these changes Sep 19, 2022
View reviewed changes
Copy link
Contributor

@costdev costdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this PR @whaze! This looks good to me! 👍

@peterwilsoncc
Copy link
Contributor

Something that was mentioned in the original ticket is that there placeholder phrase appears elsewhere in WordPress

wordpress-develop/src/wp-admin/maint/repair.php

Line 40 in 2b0e2d6

$default_key = 'put your unique phrase here';

and

wordpress-develop/src/wp-includes/class-wp-recovery-mode-cookie-service.php

Lines 200 to 234 in 5ebe289

private function recovery_mode_hash( $data ) {
if ( ! defined( 'AUTH_KEY' ) || AUTH_KEY === 'put your unique phrase here' ) {
$auth_key = get_site_option( 'recovery_mode_auth_key' );
if ( ! $auth_key ) {
if ( ! function_exists( 'wp_generate_password' ) ) {
require_once ABSPATH . WPINC . '/pluggable.php';
}
$auth_key = wp_generate_password( 64, true, true );
update_site_option( 'recovery_mode_auth_key', $auth_key );
}
} else {
$auth_key = AUTH_KEY;
}
if ( ! defined( 'AUTH_SALT' ) || AUTH_SALT === 'put your unique phrase here' || AUTH_SALT === $auth_key ) {
$auth_salt = get_site_option( 'recovery_mode_auth_salt' );
if ( ! $auth_salt ) {
if ( ! function_exists( 'wp_generate_password' ) ) {
require_once ABSPATH . WPINC . '/pluggable.php';
}
$auth_salt = wp_generate_password( 64, true, true );
update_site_option( 'recovery_mode_auth_salt', $auth_salt );
}
} else {
$auth_salt = AUTH_SALT;
}
$secret = $auth_key . $auth_salt;
return hash_hmac( 'sha1', $data, $secret );
}

@whaze are you able to look at accounting for those values too? I didn't realise until it was pointed out by another contributor on the ticket.

@audrasjb
Copy link
Contributor

Closing in favor of #3289 which addresses @peterwilsoncc 's comments :)

@audrasjb audrasjb closed this Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peterwilsoncc peterwilsoncc peterwilsoncc left review comments

@costdev costdev costdev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@whaze @peterwilsoncc @audrasjb @costdev