Validate a localized $wp_default_secret_key
|Reported by:||nacin||Owned by:||nbachiyski|
$wp_default_secret_key is designed to hold the default string for SECRET_KEY in wp-config-sample.php, which in en_US is 'put your unique phrase here'.
This is only used in wp_salt() (a pluggable function) to see if the key-holding constants in wp-config.php were changed.
But in a localized install, 'put your unique phrase here' is translated. Problem is, $wp_default_secret_key is defined in wp-settings.php (2.9) and the two localized installs I checked don't override it. (There are no translator instructions to do so.)
$wp_default_secret_key has since been moved to default-constants.php, where it is more out of place, since it cannot be overridden without hard-coding it there or or setting it much later. (No check is done to see if it is already set before setting the value.)
In localized installs, $wp_default_secret_key never equals the default key, which means we treat a default string as if it were unique.
- Move $wp_default_secret_key to wp-includes/load.php (all strings that need to be hard-coded have been moved from wp-settings.php to there) and add a comment for translators / ensure that translators update the value.
- Probably outside the scope of this ticket, but we should have setup-config.php wp_remote_get('https://api.wordpress.org/secret-key/1.1/') and replace the default keys on install.
Change History (8)
- Milestone changed from 3.0 to WordPress.org site
- Priority changed from normal to high
- Severity changed from normal to major
- Summary changed from $wp_default_secret_key can't be overridden, posing localization issues to Validate a localized $wp_default_secret_key