Changeset 59754 for trunk/src/wp-includes/class-wp-xmlrpc-server.php

Timestamp:

02/03/2025 07:50:50 PM (10 months ago)

Author:

johnbillion

Message:

Security: Add the SensitiveParameter attribute to sensitive parameters.

Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.

Props petitphp, TobiasBg, jrf, johnbillion.

Fixes #57304

File:

• trunk/src/wp-includes/class-wp-xmlrpc-server.php (modified) (2 diffs)

trunk/src/wp-includes/class-wp-xmlrpc-server.php

@@ -286 +286 @@
      * @return WP_User|false WP_User object if authentication passed, false otherwise.
      */
-    public function login( $username, $password ) {
+    public function login(
+        $username,
+        #[\SensitiveParameter]
+        $password
+    ) {
         if ( ! $this->is_enabled ) {
             $this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this site.' ) ) );
@@ -331 +335 @@
      * @return bool Whether authentication passed.
      */
-    public function login_pass_ok( $username, $password ) {
+    public function login_pass_ok(
+        $username,
+        #[\SensitiveParameter]
+        $password
+    ) {
         return (bool) $this->login( $username, $password );
     }