Make WordPress Core


Ignore:
Timestamp:
03/07/2016 06:31:18 AM (9 years ago)
Author:
dd32
Message:

Setup config: Generate the default secret keys & salts from the local CSPRNG if available, falling back to the WordPress.org API and a backup psuedo random source.

Props diddledan.
Fixes #35290

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/setup-config.php

    r36545 r36872  
    277277        wp_die( $wpdb->error->get_error_message() . $tryagain_link );
    278278
    279     // Fetch or generate keys and salts.
    280     $no_api = isset( $_POST['noapi'] );
    281     if ( ! $no_api ) {
    282         $secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
    283     }
    284 
    285     if ( $no_api || is_wp_error( $secret_keys ) ) {
    286         $secret_keys = array();
     279    // Generate keys and salts using secure CSPRNG; fallback to API if enabled; further fallback to original wp_generate_password().
     280    try {
     281        $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|';
     282        $max = strlen($chars) - 1;
    287283        for ( $i = 0; $i < 8; $i++ ) {
    288             $secret_keys[] = wp_generate_password( 64, true, true );
    289         }
    290     } else {
    291         $secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
    292         foreach ( $secret_keys as $k => $v ) {
    293             $secret_keys[$k] = substr( $v, 28, 64 );
     284            $key = '';
     285            for ( $j = 0; $j < 64; $j++ ) {
     286                $key .= substr( $chars, random_int( 0, $max ), 1 );
     287            }
     288            $secret_keys[] = $key;
     289        }
     290    } catch ( Exception $ex ) {
     291        $no_api = isset( $_POST['noapi'] );
     292
     293        if ( ! $no_api ) {
     294            $secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
     295        }
     296
     297        if ( $no_api || is_wp_error( $secret_keys ) ) {
     298            $secret_keys = array();
     299            for ( $i = 0; $i < 8; $i++ ) {
     300                $secret_keys[] = wp_generate_password( 64, true, true );
     301            }
     302        } else {
     303            $secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
     304            foreach ( $secret_keys as $k => $v ) {
     305                $secret_keys[$k] = substr( $v, 28, 64 );
     306            }
    294307        }
    295308    }
Note: See TracChangeset for help on using the changeset viewer.