WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
02/11/2025 11:12:03 AM (3 months ago)
Author:
johnbillion
Message:

Security: Explicitly require the hash PHP extension and add requirement checks during installation and upgrade.

This extension provides the hash() function and support for the SHA-256 algorithm, both of which are required for upcoming security related changes. This extension is almost universally enabled, however it is technically possible to disable it on PHP 7.2 and 7.3, hence the introduction of this requirement and the corresponding requirement checks prior to installing or upgrading WordPress.

Props peterwilsoncc, ayeshrajans, dd32, SergeyBiryukov, johnbillion.

Fixes #60638, #62815, #56017

See #21022

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/includes/update-core.php

    r59386 r59803  
    10101010 * @global array              $_new_bundled_files
    10111011 * @global wpdb               $wpdb                   WordPress database abstraction object.
    1012  * @global string             $wp_version
    1013  * @global string             $required_php_version
    1014  * @global string             $required_mysql_version
    10151012 *
    10161013 * @param string $from New release unzipped path.
     
    10761073
    10771074    /*
    1078      * Import $wp_version, $required_php_version, and $required_mysql_version from the new version.
     1075     * Import $wp_version, $required_php_version, $required_php_extensions, and $required_mysql_version from the new version.
    10791076     * DO NOT globalize any variables imported from `version-current.php` in this function.
    10801077     *
     
    11821179    }
    11831180
    1184     // Add a warning when the JSON PHP extension is missing.
    1185     if ( ! extension_loaded( 'json' ) ) {
    1186         return new WP_Error(
    1187             'php_not_compatible_json',
    1188             sprintf(
    1189                 /* translators: 1: WordPress version number, 2: The PHP extension name needed. */
    1190                 __( 'The update cannot be installed because WordPress %1$s requires the %2$s PHP extension.' ),
    1191                 $wp_version,
    1192                 'JSON'
    1193             )
    1194         );
     1181    if ( isset( $required_php_extensions ) && is_array( $required_php_extensions ) ) {
     1182        $missing_extensions = new WP_Error();
     1183
     1184        foreach ( $required_php_extensions as $extension ) {
     1185            if ( extension_loaded( $extension ) ) {
     1186                continue;
     1187            }
     1188
     1189            $missing_extensions->add(
     1190                "php_not_compatible_{$extension}",
     1191                sprintf(
     1192                    /* translators: 1: WordPress version number, 2: The PHP extension name needed. */
     1193                    __( 'The update cannot be installed because WordPress %1$s requires the %2$s PHP extension.' ),
     1194                    $wp_version,
     1195                    $extension
     1196                )
     1197            );
     1198        }
     1199
     1200        // Add a warning when required PHP extensions are missing.
     1201        if ( $missing_extensions->has_errors() ) {
     1202            return $missing_extensions;
     1203        }
    11951204    }
    11961205
Note: See TracChangeset for help on using the changeset viewer.