WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
02/11/2025 11:12:03 AM (2 months ago)
Author:
johnbillion
Message:

Security: Explicitly require the hash PHP extension and add requirement checks during installation and upgrade.

This extension provides the hash() function and support for the SHA-256 algorithm, both of which are required for upcoming security related changes. This extension is almost universally enabled, however it is technically possible to disable it on PHP 7.2 and 7.3, hence the introduction of this requirement and the corresponding requirement checks prior to installing or upgrading WordPress.

Props peterwilsoncc, ayeshrajans, dd32, SergeyBiryukov, johnbillion.

Fixes #60638, #62815, #56017

See #21022

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/load.php

    r59242 r59803  
    148148 * @access private
    149149 *
    150  * @global string $required_php_version The required PHP version string.
    151  * @global string $wp_version           The WordPress version string.
     150 * @global string   $required_php_version    The required PHP version string.
     151 * @global string[] $required_php_extensions The names of required PHP extensions.
     152 * @global string   $wp_version              The WordPress version string.
    152153 */
    153154function wp_check_php_mysql_versions() {
    154     global $required_php_version, $wp_version;
     155    global $required_php_version, $required_php_extensions, $wp_version;
    155156
    156157    $php_version = PHP_VERSION;
     
    166167            $required_php_version
    167168        );
     169        exit( 1 );
     170    }
     171
     172    $missing_extensions = array();
     173
     174    if ( isset( $required_php_extensions ) && is_array( $required_php_extensions ) ) {
     175        foreach ( $required_php_extensions as $extension ) {
     176            if ( extension_loaded( $extension ) ) {
     177                continue;
     178            }
     179
     180            $missing_extensions[] = sprintf(
     181                'WordPress %1$s requires the <code>%2$s</code> PHP extension.',
     182                $wp_version,
     183                $extension
     184            );
     185        }
     186    }
     187
     188    if ( count( $missing_extensions ) > 0 ) {
     189        $protocol = wp_get_server_protocol();
     190        header( sprintf( '%s 500 Internal Server Error', $protocol ), true, 500 );
     191        header( 'Content-Type: text/html; charset=utf-8' );
     192        echo implode( '<br>', $missing_extensions );
    168193        exit( 1 );
    169194    }
Note: See TracChangeset for help on using the changeset viewer.