Changeset 59754

Timestamp:

02/03/2025 07:50:50 PM (4 months ago)

Author:

johnbillion

Message:

Security: Add the SensitiveParameter attribute to sensitive parameters.

Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.

Props petitphp, TobiasBg, jrf, johnbillion.

Fixes #57304

Location:

trunk/src

Files:

• wp-admin/includes/class-wp-importer.php (modified) (1 diff)
• wp-admin/includes/upgrade.php (modified) (2 diffs)
• wp-includes/class-wp-application-passwords.php (modified) (1 diff)
• wp-includes/class-wp-xmlrpc-server.php (modified) (2 diffs)
• wp-includes/class-wpdb.php (modified) (1 diff)
• wp-includes/ms-functions.php (modified) (7 diffs)
• wp-includes/pluggable-deprecated.php (modified) (2 diffs)
• wp-includes/pluggable.php (modified) (4 diffs)
• wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php (modified) (1 diff)
• wp-includes/user.php (modified) (8 diffs)

trunk/src/wp-admin/includes/class-wp-importer.php

@@ -196 +196 @@
      * @return array
      */
-    public function get_page( $url, $username = '', $password = '', $head = false ) {
+    public function get_page(
+        $url,
+        $username = '',
+        #[\SensitiveParameter]
+        $password = '',
+        $head = false
+    ) {
         // Increase the timeout.
         add_filter( 'http_request_timeout', array( $this, 'bump_request_timeout' ) );

trunk/src/wp-admin/includes/upgrade.php

@@ -45 +45 @@
      * }
      */
-    function wp_install( $blog_title, $user_name, $user_email, $is_public, $deprecated = '', $user_password = '', $language = '' ) {
+    function wp_install(
+        $blog_title,
+        $user_name,
+        $user_email,
+        $is_public,
+        $deprecated = '',
+        #[\SensitiveParameter]
+        $user_password = '',
+        $language = ''
+    ) {
         if ( ! empty( $deprecated ) ) {
             _deprecated_argument( __FUNCTION__, '2.6.0' );
@@ -564 +573 @@
      *                           usually passed instead of the actual password.
      */
-    function wp_new_blog_notification( $blog_title, $blog_url, $user_id, $password ) {
+    function wp_new_blog_notification(
+        $blog_title,
+        $blog_url,
+        $user_id,
+        #[\SensitiveParameter]
+        $password
+    ) {
         $user      = new WP_User( $user_id );
         $email     = $user->user_email;

trunk/src/wp-includes/class-wp-application-passwords.php

@@ -460 +460 @@
      * @return string The chunked password.
      */
-    public static function chunk_password( $raw_password ) {
+    public static function chunk_password(
+        #[\SensitiveParameter]
+        $raw_password
+    ) {
         $raw_password = preg_replace( '/[^a-z\d]/i', '', $raw_password );
 

trunk/src/wp-includes/class-wp-xmlrpc-server.php

@@ -286 +286 @@
      * @return WP_User|false WP_User object if authentication passed, false otherwise.
      */
-    public function login( $username, $password ) {
+    public function login(
+        $username,
+        #[\SensitiveParameter]
+        $password
+    ) {
         if ( ! $this->is_enabled ) {
             $this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this site.' ) ) );
@@ -331 +335 @@
      * @return bool Whether authentication passed.
      */
-    public function login_pass_ok( $username, $password ) {
+    public function login_pass_ok(
+        $username,
+        #[\SensitiveParameter]
+        $password
+    ) {
         return (bool) $this->login( $username, $password );
     }

trunk/src/wp-includes/class-wpdb.php

@@ -750 +750 @@
      * @param string $dbhost     Database host.
      */
-    public function __construct( $dbuser, $dbpassword, $dbname, $dbhost ) {
+    public function __construct(
+        $dbuser,
+        #[\SensitiveParameter]
+        $dbpassword,
+        $dbname,
+        $dbhost
+    ) {
         if ( WP_DEBUG && WP_DEBUG_DISPLAY ) {
             $this->show_errors();

trunk/src/wp-includes/ms-functions.php

@@ -939 +939 @@
  * @return bool
  */
-function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array() ) {
+function wpmu_signup_blog_notification(
+    $domain,
+    $path,
+    $title,
+    $user_login,
+    $user_email,
+    #[\SensitiveParameter]
+    $key,
+    $meta = array()
+) {
     /**
      * Filters whether to bypass the new site email notification.
@@ -1074 +1083 @@
  * @return bool
  */
-function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array() ) {
+function wpmu_signup_user_notification(
+    $user_login,
+    $user_email,
+    #[\SensitiveParameter]
+    $key,
+    $meta = array()
+) {
     /**
      * Filters whether to bypass the email notification for new user sign-up.
@@ -1176 +1191 @@
  * @return array|WP_Error An array containing information about the activated user and/or blog.
  */
-function wpmu_activate_signup( $key ) {
+function wpmu_activate_signup(
+    #[\SensitiveParameter]
+    $key
+) {
     global $wpdb;
 
@@ -1328 +1346 @@
  * @return int|false Returns false on failure, or int $user_id on success.
  */
-function wpmu_create_user( $user_name, $password, $email ) {
+function wpmu_create_user(
+    $user_name,
+    #[\SensitiveParameter]
+    $password,
+    $email
+) {
     $user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );
 
@@ -1612 +1635 @@
  * @return bool Whether the email notification was sent.
  */
-function wpmu_welcome_notification( $blog_id, $user_id, $password, $title, $meta = array() ) {
+function wpmu_welcome_notification(
+    $blog_id,
+    $user_id,
+    #[\SensitiveParameter]
+    $password,
+    $title,
+    $meta = array()
+) {
     $current_network = get_network();
 
@@ -1846 +1876 @@
  * @return bool
  */
-function wpmu_welcome_user_notification( $user_id, $password, $meta = array() ) {
+function wpmu_welcome_user_notification(
+    $user_id,
+    #[\SensitiveParameter]
+    $password,
+    $meta = array()
+) {
     $current_network = get_network();
 
@@ -2272 +2307 @@
  * @param array  $meta     Signup meta data.
  */
-function add_new_user_to_blog( $user_id, $password, $meta ) {
+function add_new_user_to_blog(
+    $user_id,
+    #[\SensitiveParameter]
+    $password,
+    $meta
+) {
     if ( ! empty( $meta['add_to_blog'] ) ) {
         $blog_id = $meta['add_to_blog'];

trunk/src/wp-includes/pluggable-deprecated.php

@@ -102 +102 @@
  * @param bool $remember Optional. Remember that the user is logged in
  */
-function wp_setcookie($username, $password = '', $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
+function wp_setcookie(
+    $username,
+    #[\SensitiveParameter]
+    $password = '',
+    $already_md5 = false,
+    $home = '',
+    $siteurl = '',
+    $remember = false
+) {
     _deprecated_function( __FUNCTION__, '2.5.0', 'wp_set_auth_cookie()' );
     $user = get_user_by('login', $username);
@@ -169 +177 @@
  * @return bool True on successful check, false on login failure.
  */
-function wp_login($username, $password, $deprecated = '') {
+function wp_login(
+    $username,
+    #[\SensitiveParameter]
+    $password,
+    $deprecated = ''
+) {
     _deprecated_function( __FUNCTION__, '2.5.0', 'wp_signon()' );
     global $error;

trunk/src/wp-includes/pluggable.php

@@ -599 +599 @@
      *                          otherwise WP_Error.
      */
-    function wp_authenticate( $username, $password ) {
+    function wp_authenticate(
+        $username,
+        #[\SensitiveParameter]
+        $password
+    ) {
         $username = sanitize_user( $username );
         $password = trim( $password );
@@ -2632 +2636 @@
      * @return string The hash string of the password.
      */
-    function wp_hash_password( $password ) {
+    function wp_hash_password(
+        #[\SensitiveParameter]
+        $password
+    ) {
         global $wp_hasher;
 
@@ -2668 +2675 @@
      * @return bool False, if the $password does not match the hashed password.
      */
-    function wp_check_password( $password, $hash, $user_id = '' ) {
+    function wp_check_password(
+        #[\SensitiveParameter]
+        $password,
+        $hash,
+        $user_id = ''
+    ) {
         global $wp_hasher;
 
@@ -2864 +2876 @@
      * @param int    $user_id  User ID.
      */
-    function wp_set_password( $password, $user_id ) {
+    function wp_set_password(
+        #[\SensitiveParameter]
+        $password,
+        $user_id
+    ) {
         global $wpdb;
 

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -1311 +1311 @@
      * @return string|WP_Error The sanitized password, if valid, otherwise an error.
      */
-    public function check_user_password( $value, $request, $param ) {
+    public function check_user_password(
+        #[\SensitiveParameter]
+        $value,
+        $request,
+        $param
+    ) {
         $password = (string) $value;
 

trunk/src/wp-includes/user.php

@@ -151 +151 @@
  * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
  */
-function wp_authenticate_username_password( $user, $username, $password ) {
+function wp_authenticate_username_password(
+    $user,
+    $username,
+    #[\SensitiveParameter]
+    $password
+) {
     if ( $user instanceof WP_User ) {
         return $user;
@@ -229 +234 @@
  * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
  */
-function wp_authenticate_email_password( $user, $email, $password ) {
+function wp_authenticate_email_password(
+    $user,
+    $email,
+    #[\SensitiveParameter]
+    $password
+) {
     if ( $user instanceof WP_User ) {
         return $user;
@@ -302 +312 @@
  * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
  */
-function wp_authenticate_cookie( $user, $username, $password ) {
+function wp_authenticate_cookie(
+    $user,
+    $username,
+    #[\SensitiveParameter]
+    $password
+) {
     global $auth_secure_cookie;
 
@@ -343 +358 @@
  *                               null is passed in and this isn't an API request.
  */
-function wp_authenticate_application_password( $input_user, $username, $password ) {
+function wp_authenticate_application_password(
+    $input_user,
+    $username,
+    #[\SensitiveParameter]
+    $password
+) {
     if ( $input_user instanceof WP_User ) {
         return $input_user;
@@ -2847 +2867 @@
  *                      be created.
  */
-function wp_create_user( $username, $password, $email = '' ) {
+function wp_create_user(
+    $username,
+    #[\SensitiveParameter]
+    $password,
+    $email = ''
+) {
     $user_login = wp_slash( $username );
     $user_email = wp_slash( $email );
@@ -3035 +3060 @@
  * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys.
  */
-function check_password_reset_key( $key, $login ) {
+function check_password_reset_key(
+    #[\SensitiveParameter]
+    $key,
+    $login
+) {
     global $wp_hasher;
 
@@ -3372 +3401 @@
  * @param string  $new_pass New password for the user in plaintext
  */
-function reset_password( $user, $new_pass ) {
+function reset_password(
+    $user,
+    #[\SensitiveParameter]
+    $new_pass
+) {
     /**
      * Fires before the user's password is reset.
@@ -4933 +4966 @@
  * @return true|WP_Error True on success, WP_Error on failure.
  */
-function wp_validate_user_request_key( $request_id, $key ) {
+function wp_validate_user_request_key(
+    $request_id,
+    #[\SensitiveParameter]
+    $key
+) {
     global $wp_hasher;