Make WordPress Core

Changeset 59578


Ignore:
Timestamp:
01/06/2025 03:21:26 PM (2 weeks ago)
Author:
johnbillion
Message:

Security: Enhance the wp_hash() function to support custom hashing algorithms.

The default algorithm remains as md5, but this change allows any algorithm that's supported by hash_hmac() to be used instead.

Props pushpenderindia, ayeshrajans, debarghyabanerjee, johnbillion

Fixes #62005

Location:
trunk
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/pluggable.php

    r59459 r59578  
    25822582if ( ! function_exists( 'wp_hash' ) ) :
    25832583    /**
    2584      * Gets hash of given string.
     2584     * Gets the hash of the given string.
     2585     *
     2586     * The default algorithm is md5 but can be changed to any algorithm supported by
     2587     * `hash_hmac()`. Use the `hash_hmac_algos()` function to check the supported
     2588     * algorithms.
    25852589     *
    25862590     * @since 2.0.3
     2591     * @since 6.8.0 The `$algo` parameter was added.
     2592     *
     2593     * @throws InvalidArgumentException if the hashing algorithm is not supported.
    25872594     *
    25882595     * @param string $data   Plain text to hash.
    25892596     * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
     2597     * @param string $algo   Hashing algorithm to use. Default: 'md5'.
    25902598     * @return string Hash of $data.
    25912599     */
    2592     function wp_hash( $data, $scheme = 'auth' ) {
     2600    function wp_hash( $data, $scheme = 'auth', $algo = 'md5' ) {
    25932601        $salt = wp_salt( $scheme );
    25942602
    2595         return hash_hmac( 'md5', $data, $salt );
     2603        // Ensure the algorithm is supported by the hash_hmac function.
     2604        if ( ! in_array( $algo, hash_hmac_algos(), true ) ) {
     2605            throw new InvalidArgumentException(
     2606                sprintf(
     2607                    /** translators: 1: Name of a cryptographic hash algorithm. 2: List of supported algorithms. */
     2608                    __( 'Unsupported hashing algorithm: %1$s. Supported algorithms are: %2$s' ),
     2609                    $algo,
     2610                    implode( ', ', hash_hmac_algos() )
     2611                )
     2612            );
     2613        }
     2614
     2615        return hash_hmac( $algo, $data, $salt );
    25962616    }
    25972617endif;
  • trunk/tests/phpunit/tests/pluggable/signatures.php

    r56549 r59578  
    210210                'data',
    211211                'scheme' => 'auth',
     212                'algo'   => 'md5',
    212213            ),
    213214            'wp_hash_password'                => array( 'password' ),
Note: See TracChangeset for help on using the changeset viewer.