WordPress.org
Get WordPress

Make WordPress Core

Changeset 59532


Ignore:
Timestamp:
12/17/2024 11:56:28 PM (5 months ago)
Author:
SergeyBiryukov
Message:

Privacy: Use SHA-256 hashing algorithm for Gravatar.

This aims to improve privacy by switching to a more secure algorithm, as an MD5 string can be reversed.

Follow-up to [6748], [31107].

Props henry.wright, jucaduca, haozi, desrosj, dd32, SergeyBiryukov.
See #60638.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/link-template.php

    r59113 r59532  
    42904290 * @since 4.2.0
    42914291 *
    4292  * @param mixed $id_or_email The avatar to retrieve a URL for. Accepts a user ID, Gravatar MD5 hash,
     4292 * @param mixed $id_or_email The avatar to retrieve a URL for. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
    42934293 *                           user email, WP_User object, WP_Post object, or WP_Comment object.
    42944294 * @param array $args {
     
    43544354 * @since 4.2.0
    43554355 * @since 6.7.0 Gravatar URLs always use HTTPS.
    4356  *
    4357  * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
     4356 * @since 6.8.0 Gravatar URLs use the SHA-256 hashing algorithm.
     4357 *
     4358 * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
    43584359 *                           user email, WP_User object, WP_Post object, or WP_Comment object.
    43594360 * @param array $args {
     
    44754476     *
    44764477     * @param array $args        Arguments passed to get_avatar_data(), after processing.
    4477      * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
     4478     * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
    44784479     *                           user email, WP_User object, WP_Post object, or WP_Comment object.
    44794480     */
     
    44974498        $user = get_user_by( 'id', absint( $id_or_email ) );
    44984499    } elseif ( is_string( $id_or_email ) ) {
    4499         if ( str_contains( $id_or_email, '@md5.gravatar.com' ) ) {
     4500        if ( str_contains( $id_or_email, '@sha256.gravatar.com' ) ) {
     4501            // SHA-256 hash.
     4502            list( $email_hash ) = explode( '@', $id_or_email );
     4503        } else if ( str_contains( $id_or_email, '@md5.gravatar.com' ) ) {
    45004504            // MD5 hash.
    45014505            list( $email_hash ) = explode( '@', $id_or_email );
     
    45314535
    45324536        if ( $email ) {
    4533             $email_hash = md5( strtolower( trim( $email ) ) );
     4537            $email_hash = hash( 'sha256', strtolower( trim( $email ) ) );
    45344538        }
    45354539    }
     
    45654569     *
    45664570     * @param string $url         The URL of the avatar.
    4567      * @param mixed  $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
     4571     * @param mixed  $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
    45684572     *                            user email, WP_User object, WP_Post object, or WP_Comment object.
    45694573     * @param array  $args        Arguments passed to get_avatar_data(), after processing.
     
    45774581     *
    45784582     * @param array $args        Arguments passed to get_avatar_data(), after processing.
    4579      * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
     4583     * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar SHA-256 or MD5 hash,
    45804584     *                           user email, WP_User object, WP_Post object, or WP_Comment object.
    45814585     */

  • trunk/tests/phpunit/tests/avatar.php

    r58822 r59532  
    1212    public function test_get_avatar_url_gravatar_url() {
    1313        $url = get_avatar_url( 1 );
    14         $this->assertSame( preg_match( '|^https?://secure.gravatar.com/avatar/[0-9a-f]{32}\?|', $url ), 1 );
     14        $this->assertSame( preg_match( '|^https?://secure.gravatar.com/avatar/[0-9a-f]{64}\?|', $url ), 1 );
    1515    }
    1616
     
    9191        $this->assertSame( $url, $url2 );
    9292
     93        $url2 = get_avatar_url( hash( 'sha256', WP_TESTS_EMAIL ) . '@sha256.gravatar.com' );
     94        $this->assertSame( $url, $url2 );
     95
    9396        $url2 = get_avatar_url( md5( WP_TESTS_EMAIL ) . '@md5.gravatar.com' );
    94         $this->assertSame( $url, $url2 );
     97        $this->assertSame( preg_match( '|^https?://secure.gravatar.com/avatar/[0-9a-f]{32}\?|', $url2 ), 1 );
    9598
    9699        $user = get_user_by( 'id', 1 );
     
    268271
    269272        $this->assertTrue( is_avatar_comment_type( $comment_type ) );
    270         $this->assertMatchesRegularExpression( '|^https?://secure.gravatar.com/avatar/[0-9a-f]{32}\?|', $actual_data['url'] );
     273        $this->assertMatchesRegularExpression( '|^https?://secure.gravatar.com/avatar/[0-9a-f]{64}\?|', $actual_data['url'] );
    271274    }
    272275

  • trunk/tests/phpunit/tests/rest-api/rest-schema-setup.php

    r58822 r59532  
    730730        'TagModel.meta.test_tag_meta'                      => '',
    731731        'UsersCollection.0.link'                           => 'http://example.org/?author=1',
    732         'UsersCollection.0.avatar_urls.24'                 => 'https://secure.gravatar.com/avatar/96614ec98aa0c0d2ee75796dced6df54?s=24&d=mm&r=g',
    733         'UsersCollection.0.avatar_urls.48'                 => 'https://secure.gravatar.com/avatar/96614ec98aa0c0d2ee75796dced6df54?s=48&d=mm&r=g',
    734         'UsersCollection.0.avatar_urls.96'                 => 'https://secure.gravatar.com/avatar/96614ec98aa0c0d2ee75796dced6df54?s=96&d=mm&r=g',
     732        'UsersCollection.0.avatar_urls.24'                 => 'https://secure.gravatar.com/avatar/9387ed9432ec25ef93df84b8a0b9697ddef435a945e7f244670c4f79f88363e9?s=24&d=mm&r=g',
     733        'UsersCollection.0.avatar_urls.48'                 => 'https://secure.gravatar.com/avatar/9387ed9432ec25ef93df84b8a0b9697ddef435a945e7f244670c4f79f88363e9?s=48&d=mm&r=g',
     734        'UsersCollection.0.avatar_urls.96'                 => 'https://secure.gravatar.com/avatar/9387ed9432ec25ef93df84b8a0b9697ddef435a945e7f244670c4f79f88363e9?s=96&d=mm&r=g',
    735735        'UsersCollection.0._links.self.0.href'             => 'http://example.org/index.php?rest_route=/wp/v2/users/1',
    736736        'UsersCollection.0._links.collection.0.href'       => 'http://example.org/index.php?rest_route=/wp/v2/users',

  • trunk/tests/qunit/fixtures/wp-api-generated.js

    r59115 r59532  
    1387813878        "slug": "admin",
    1387913879        "avatar_urls": {
    13880             "24": "https://secure.gravatar.com/avatar/96614ec98aa0c0d2ee75796dced6df54?s=24&d=mm&r=g",
    13881             "48": "https://secure.gravatar.com/avatar/96614ec98aa0c0d2ee75796dced6df54?s=48&d=mm&r=g",
    13882             "96": "https://secure.gravatar.com/avatar/96614ec98aa0c0d2ee75796dced6df54?s=96&d=mm&r=g"
     13880            "24": "https://secure.gravatar.com/avatar/9387ed9432ec25ef93df84b8a0b9697ddef435a945e7f244670c4f79f88363e9?s=24&d=mm&r=g",
     13881            "48": "https://secure.gravatar.com/avatar/9387ed9432ec25ef93df84b8a0b9697ddef435a945e7f244670c4f79f88363e9?s=48&d=mm&r=g",
     13882            "96": "https://secure.gravatar.com/avatar/9387ed9432ec25ef93df84b8a0b9697ddef435a945e7f244670c4f79f88363e9?s=96&d=mm&r=g"
    1388313883        },
    1388413884        "meta": {
     
    1391513915        "slug": "restapiclientfixtureuser",
    1391613916        "avatar_urls": {
    13917             "24": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=24&d=mm&r=g",
    13918             "48": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=48&d=mm&r=g",
    13919             "96": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=96&d=mm&r=g"
     13917            "24": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=24&d=mm&r=g",
     13918            "48": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=48&d=mm&r=g",
     13919            "96": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=96&d=mm&r=g"
    1392013920        },
    1392113921        "meta": {
     
    1395413954    "slug": "restapiclientfixtureuser",
    1395513955    "avatar_urls": {
    13956         "24": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=24&d=mm&r=g",
    13957         "48": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=48&d=mm&r=g",
    13958         "96": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=96&d=mm&r=g"
     13956        "24": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=24&d=mm&r=g",
     13957        "48": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=48&d=mm&r=g",
     13958        "96": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=96&d=mm&r=g"
    1395913959    },
    1396013960    "meta": {
     
    1397113971    "slug": "restapiclientfixtureuser",
    1397213972    "avatar_urls": {
    13973         "24": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=24&d=mm&r=g",
    13974         "48": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=48&d=mm&r=g",
    13975         "96": "https://secure.gravatar.com/avatar/57cbd982c963c7eb2294e2eee1b4448e?s=96&d=mm&r=g"
     13973        "24": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=24&d=mm&r=g",
     13974        "48": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=48&d=mm&r=g",
     13975        "96": "https://secure.gravatar.com/avatar/ea862d9636c72500beece7b1990870e2776f89c2096d0c064c14f2beb910077d?s=96&d=mm&r=g"
    1397613976    },
    1397713977    "meta": {
     
    1399713997        "type": "comment",
    1399813998        "author_avatar_urls": {
    13999             "24": "https://secure.gravatar.com/avatar/bd7c2b505bcf39cc71cfee564c614956?s=24&d=mm&r=g",
    14000             "48": "https://secure.gravatar.com/avatar/bd7c2b505bcf39cc71cfee564c614956?s=48&d=mm&r=g",
    14001             "96": "https://secure.gravatar.com/avatar/bd7c2b505bcf39cc71cfee564c614956?s=96&d=mm&r=g"
     13999            "24": "https://secure.gravatar.com/avatar/9ca51ced0b389ffbeba3d269c6d824be664c84fa1b35503282abdd302e1f417c?s=24&d=mm&r=g",
     14000            "48": "https://secure.gravatar.com/avatar/9ca51ced0b389ffbeba3d269c6d824be664c84fa1b35503282abdd302e1f417c?s=48&d=mm&r=g",
     14001            "96": "https://secure.gravatar.com/avatar/9ca51ced0b389ffbeba3d269c6d824be664c84fa1b35503282abdd302e1f417c?s=96&d=mm&r=g"
    1400214002        },
    1400314003        "meta": {
     
    1405114051    "type": "comment",
    1405214052    "author_avatar_urls": {
    14053         "24": "https://secure.gravatar.com/avatar/bd7c2b505bcf39cc71cfee564c614956?s=24&d=mm&r=g",
    14054         "48": "https://secure.gravatar.com/avatar/bd7c2b505bcf39cc71cfee564c614956?s=48&d=mm&r=g",
    14055         "96": "https://secure.gravatar.com/avatar/bd7c2b505bcf39cc71cfee564c614956?s=96&d=mm&r=g"
     14053        "24": "https://secure.gravatar.com/avatar/9ca51ced0b389ffbeba3d269c6d824be664c84fa1b35503282abdd302e1f417c?s=24&d=mm&r=g",
     14054        "48": "https://secure.gravatar.com/avatar/9ca51ced0b389ffbeba3d269c6d824be664c84fa1b35503282abdd302e1f417c?s=48&d=mm&r=g",
     14055        "96": "https://secure.gravatar.com/avatar/9ca51ced0b389ffbeba3d269c6d824be664c84fa1b35503282abdd302e1f417c?s=96&d=mm&r=g"
    1405614056    },
    1405714057    "meta": {
Note: See TracChangeset for help on using the changeset viewer.