Changeset 59754 for trunk/src/wp-includes/ms-functions.php

Timestamp:

02/03/2025 07:50:50 PM (10 months ago)

Author:

johnbillion

Message:

Security: Add the SensitiveParameter attribute to sensitive parameters.

Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.

Props petitphp, TobiasBg, jrf, johnbillion.

Fixes #57304

File:

• trunk/src/wp-includes/ms-functions.php (modified) (7 diffs)

trunk/src/wp-includes/ms-functions.php

@@ -939 +939 @@
  * @return bool
  */
-function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array() ) {
+function wpmu_signup_blog_notification(
+    $domain,
+    $path,
+    $title,
+    $user_login,
+    $user_email,
+    #[\SensitiveParameter]
+    $key,
+    $meta = array()
+) {
     /**
      * Filters whether to bypass the new site email notification.
@@ -1074 +1083 @@
  * @return bool
  */
-function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array() ) {
+function wpmu_signup_user_notification(
+    $user_login,
+    $user_email,
+    #[\SensitiveParameter]
+    $key,
+    $meta = array()
+) {
     /**
      * Filters whether to bypass the email notification for new user sign-up.
@@ -1176 +1191 @@
  * @return array|WP_Error An array containing information about the activated user and/or blog.
  */
-function wpmu_activate_signup( $key ) {
+function wpmu_activate_signup(
+    #[\SensitiveParameter]
+    $key
+) {
     global $wpdb;
 
@@ -1328 +1346 @@
  * @return int|false Returns false on failure, or int $user_id on success.
  */
-function wpmu_create_user( $user_name, $password, $email ) {
+function wpmu_create_user(
+    $user_name,
+    #[\SensitiveParameter]
+    $password,
+    $email
+) {
     $user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );
 
@@ -1612 +1635 @@
  * @return bool Whether the email notification was sent.
  */
-function wpmu_welcome_notification( $blog_id, $user_id, $password, $title, $meta = array() ) {
+function wpmu_welcome_notification(
+    $blog_id,
+    $user_id,
+    #[\SensitiveParameter]
+    $password,
+    $title,
+    $meta = array()
+) {
     $current_network = get_network();
 
@@ -1846 +1876 @@
  * @return bool
  */
-function wpmu_welcome_user_notification( $user_id, $password, $meta = array() ) {
+function wpmu_welcome_user_notification(
+    $user_id,
+    #[\SensitiveParameter]
+    $password,
+    $meta = array()
+) {
     $current_network = get_network();
 
@@ -2272 +2307 @@
  * @param array  $meta     Signup meta data.
  */
-function add_new_user_to_blog( $user_id, $password, $meta ) {
+function add_new_user_to_blog(
+    $user_id,
+    #[\SensitiveParameter]
+    $password,
+    $meta
+) {
     if ( ! empty( $meta['add_to_blog'] ) ) {
         $blog_id = $meta['add_to_blog'];