WordPress.org

Make WordPress Core

Changeset 42120


Ignore:
Timestamp:
11/07/17 01:08:11 (3 months ago)
Author:
pento
Message:

WPDB: Check that AUTH_SALT is not empty.

In wpdb::placeholder_escape(), the key for hash_hmac() defaults to AUTH_SALT, but hash_hmac() will return an empty string if the key is empty.

This had the side effect of the string {} being incorrectly replaced with a % character in queries just about to be run on the database.

Props jsonfry.
Fixes #42431.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/wp-db.php

    r42119 r42120  
    19471947            $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; 
    19481948            // Old WP installs may not have AUTH_SALT defined. 
    1949             $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : (string) rand(); 
     1949            $salt = defined( 'AUTH_SALT' ) && AUTH_SALT ? AUTH_SALT : (string) rand(); 
    19501950 
    19511951            $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}'; 
Note: See TracChangeset for help on using the changeset viewer.