Changeset 59754 for trunk/src/wp-includes/pluggable.php

Timestamp:

02/03/2025 07:50:50 PM (10 months ago)

Author:

johnbillion

Message:

Security: Add the SensitiveParameter attribute to sensitive parameters.

Values passed to parameters with this attribute will be redacted if present in a stack trace when using PHP 8.2 or later. This reduces the chance that passwords and security keys get accidentally exposed in debug logs and bug reports.

Props petitphp, TobiasBg, jrf, johnbillion.

Fixes #57304

File:

• trunk/src/wp-includes/pluggable.php (modified) (4 diffs)

trunk/src/wp-includes/pluggable.php

@@ -599 +599 @@
      *                          otherwise WP_Error.
      */
-    function wp_authenticate( $username, $password ) {
+    function wp_authenticate(
+        $username,
+        #[\SensitiveParameter]
+        $password
+    ) {
         $username = sanitize_user( $username );
         $password = trim( $password );
@@ -2632 +2636 @@
      * @return string The hash string of the password.
      */
-    function wp_hash_password( $password ) {
+    function wp_hash_password(
+        #[\SensitiveParameter]
+        $password
+    ) {
         global $wp_hasher;
 
@@ -2668 +2675 @@
      * @return bool False, if the $password does not match the hashed password.
      */
-    function wp_check_password( $password, $hash, $user_id = '' ) {
+    function wp_check_password(
+        #[\SensitiveParameter]
+        $password,
+        $hash,
+        $user_id = ''
+    ) {
         global $wp_hasher;
 
@@ -2864 +2876 @@
      * @param int    $user_id  User ID.
      */
-    function wp_set_password( $password, $user_id ) {
+    function wp_set_password(
+        #[\SensitiveParameter]
+        $password,
+        $user_id
+    ) {
         global $wpdb;