Changeset 59803 for trunk/src/wp-admin/upgrade.php

Timestamp:

02/11/2025 11:12:03 AM (2 months ago)

Author:

johnbillion

Message:

Security: Explicitly require the hash PHP extension and add requirement checks during installation and upgrade.

This extension provides the hash() function and support for the SHA-256 algorithm, both of which are required for upcoming security related changes. This extension is almost universally enabled, however it is technically possible to disable it on PHP 7.2 and 7.3, hence the introduction of this requirement and the corresponding requirement checks prior to installing or upgrading WordPress.

Props peterwilsoncc, ayeshrajans, dd32, SergeyBiryukov, johnbillion.

Fixes #60638, #62815, #56017

See #21022

File:

• trunk/src/wp-admin/upgrade.php (modified) (3 diffs)

trunk/src/wp-admin/upgrade.php

@@ -37 +37 @@
 
 /**
- * @global string $wp_version             The WordPress version string.
- * @global string $required_php_version   The required PHP version string.
- * @global string $required_mysql_version The required MySQL version string.
- * @global wpdb   $wpdb                   WordPress database abstraction object.
+ * @global string   $wp_version              The WordPress version string.
+ * @global string   $required_php_version    The required PHP version string.
+ * @global string[] $required_php_extensions The names of required PHP extensions.
+ * @global string   $required_mysql_version  The required MySQL version string.
+ * @global wpdb     $wpdb                    WordPress database abstraction object.
  */
-global $wp_version, $required_php_version, $required_mysql_version, $wpdb;
+global $wp_version, $required_php_version, $required_php_extensions, $required_mysql_version, $wpdb;
 
 $step = (int) $step;
@@ -53 +54 @@
 } else {
     $mysql_compat = version_compare( $mysql_version, $required_mysql_version, '>=' );
+}
+
+$missing_extensions = array();
+
+if ( isset( $required_php_extensions ) && is_array( $required_php_extensions ) ) {
+    foreach ( $required_php_extensions as $extension ) {
+        if ( extension_loaded( $extension ) ) {
+            continue;
+        }
+
+        $missing_extensions[] = sprintf(
+            /* translators: 1: URL to WordPress release notes, 2: WordPress version number, 3: The PHP extension name needed. */
+            __( 'You cannot upgrade because <a href="%1$s">WordPress %2$s</a> requires the %3$s PHP extension.' ),
+            $version_url,
+            $wp_version,
+            $extension
+        );
+    }
 }
 
@@ -127 +146 @@
 
     echo '<p>' . $message . '</p>';
-    ?>
-    <?php
+elseif ( count( $missing_extensions ) > 0 ) :
+    echo '<p>' . implode( '</p><p>', $missing_extensions ) . '</p>';
 else :
     switch ( $step ) :