Changeset 59803 for trunk/src/wp-includes/pluggable.php

Timestamp:

02/11/2025 11:12:03 AM (2 months ago)

Author:

johnbillion

Message:

Security: Explicitly require the hash PHP extension and add requirement checks during installation and upgrade.

This extension provides the hash() function and support for the SHA-256 algorithm, both of which are required for upcoming security related changes. This extension is almost universally enabled, however it is technically possible to disable it on PHP 7.2 and 7.3, hence the introduction of this requirement and the corresponding requirement checks prior to installing or upgrading WordPress.

Props peterwilsoncc, ayeshrajans, dd32, SergeyBiryukov, johnbillion.

Fixes #60638, #62815, #56017

See #21022

File:

• trunk/src/wp-includes/pluggable.php (modified) (2 diffs)

trunk/src/wp-includes/pluggable.php

@@ -773 +773 @@
         $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
 
-        // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
-        $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
-        $hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );
+        $hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $token, $key );
 
         if ( ! hash_equals( $hash, $hmac ) ) {
@@ -876 +874 @@
         $key = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
 
-        // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
-        $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
-        $hash = hash_hmac( $algo, $user->user_login . '|' . $expiration . '|' . $token, $key );
+        $hash = hash_hmac( 'sha256', $user->user_login . '|' . $expiration . '|' . $token, $key );
 
         $cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash;