Make WordPress Core

Changeset 54379


Ignore:
Timestamp:
10/04/2022 03:57:29 AM (2 years ago)
Author:
peterwilsoncc
Message:

Security: Additional translations of salt default phrase.

Translate the default salt value "put your unique phrase here" in additional locations in which it is used. This further ensures that the default phrase is considered an error in non-english translations of wp-config.php.

Follow-up to [54249].

Props peterwilsoncc, audrasjb, JeffPaul.
Fixes #55937.

Location:
trunk/src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/maint/repair.php

    r54249 r54379  
    3838    echo "</p><p><code>define('WP_ALLOW_REPAIR', true);</code></p>";
    3939
    40     $default_key     = __( 'put your unique phrase here' );
     40    $default_keys    = array_unique(
     41        array(
     42            'put your unique phrase here',
     43            /*
     44             * translators: This string should only be translated if wp-config-sample.php is localized.
     45             * You can check the localized release package or
     46             * https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
     47             */
     48            __( 'put your unique phrase here' ),
     49        )
     50    );
    4151    $missing_key     = false;
    4252    $duplicated_keys = array();
     
    5262    }
    5363
    54     // If at least one key uses the default value, consider it duplicated.
    55     if ( isset( $duplicated_keys[ $default_key ] ) ) {
    56         $duplicated_keys[ $default_key ] = true;
     64    // If at least one key uses a default value, consider it duplicated.
     65    foreach ( $default_keys as $default_key ) {
     66        if ( isset( $duplicated_keys[ $default_key ] ) ) {
     67            $duplicated_keys[ $default_key ] = true;
     68        }
    5769    }
    5870
  • trunk/src/wp-includes/class-wp-recovery-mode-cookie-service.php

    r54249 r54379  
    199199     */
    200200    private function recovery_mode_hash( $data ) {
    201         if ( ! defined( 'AUTH_KEY' ) || AUTH_KEY === __( 'put your unique phrase here' ) ) {
     201        $default_keys = array_unique(
     202            array(
     203                'put your unique phrase here',
     204                /*
     205                 * translators: This string should only be translated if wp-config-sample.php is localized.
     206                 * You can check the localized release package or
     207                 * https://i18n.svn.wordpress.org/<locale code>/branches/<wp version>/dist/wp-config-sample.php
     208                 */
     209                __( 'put your unique phrase here' ),
     210            )
     211        );
     212
     213        if ( ! defined( 'AUTH_KEY' ) || in_array( AUTH_KEY, $default_keys, true ) ) {
    202214            $auth_key = get_site_option( 'recovery_mode_auth_key' );
    203215
     
    214226        }
    215227
    216         if ( ! defined( 'AUTH_SALT' ) || AUTH_SALT === 'put your unique phrase here' || AUTH_SALT === $auth_key ) {
     228        if ( ! defined( 'AUTH_SALT' ) || in_array( AUTH_SALT, $default_keys, true ) || AUTH_SALT === $auth_key ) {
    217229            $auth_salt = get_site_option( 'recovery_mode_auth_salt' );
    218230
Note: See TracChangeset for help on using the changeset viewer.