Changeset 42120 for trunk/src/wp-includes/wp-db.php

Timestamp:

11/07/2017 01:08:11 AM (7 years ago)

Author:

pento

Message:

WPDB: Check that AUTH_SALT is not empty.

In wpdb::placeholder_escape(), the key for hash_hmac() defaults to AUTH_SALT, but hash_hmac() will return an empty string if the key is empty.

This had the side effect of the string {} being incorrectly replaced with a % character in queries just about to be run on the database.

Props jsonfry.
Fixes #42431.

File:

• trunk/src/wp-includes/wp-db.php (modified) (1 diff)

trunk/src/wp-includes/wp-db.php

@@ -1947 +1947 @@
             $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
             // Old WP installs may not have AUTH_SALT defined.
-            $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : (string) rand();
+            $salt = defined( 'AUTH_SALT' ) && AUTH_SALT ? AUTH_SALT : (string) rand();
 
             $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}';