Opened 14 years ago
Closed 13 years ago
#16623 closed defect (bug) (invalid)
Authentication Unique Keys and Salts broke wp-config.
Reported by: | christopherross | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.0 |
Component: | WordPress.org Site | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
I've never seen this happen before but today I was installing WordPress and the Authentication Unique Keys and Salts broke the site during install.
define('NONCE_SALT', 'J6:6$c."Eec\_WQ:B2V \h 3,WZ?q<O[uTYq_~(@+[^T@}M,}yq6JKT3)PgKqRd\');
I've attached a Dreamweaver screenshot where the code highlighter found the error, after replacing the J6:6$c."Eec\_WQ:B2V \h 3,WZ?q<O[uTYq_~(@+[^T@}M,}yq6JKT3)PgKqRd\
above with a clean salt, it worked again.
Attachments (1)
Change History (8)
#1
@
14 years ago
- Component changed from Upgrade/Install to WordPress.org site
- Description modified (diff)
- Milestone changed from Awaiting Review to WordPress.org
Moving to WordPress.org - can be moved back for 3.2 after API change is done perhaps
The API is returning a slash at the end of the string, whilst that's legit, core doesn't escape the string, and appears to be using it as-is. The result is the closing quote is escaped, causing.. well.. what you've got there
#2
@
14 years ago
Upon some more checking.. The API shouldn't be returning slashes at all, or " both of which are in your keys..
You used the web-creation of wp-config.php correct? and WordPress 3.1 just did it all by itself? (Or did you manually create the config file, OR copy-paste the file contents it gave you?)
#3
@
14 years ago
Yes, after several runs, I can't get the secret key generator on .org to return any slashes at all, much less at the end of the string:
http://api.wordpress.org/secret-key/1.1/
Does core generate its own instead of hitting the API?
#4
@
14 years ago
During the install, if wp_remote_get cannot fetch the keys, it will fall back to using wp_generate_password:
wp_generate_password( 64, true, true );
wp_generate_password() does not however, generate backslashes (\). Possible characters are:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
!@#$%^&*()
-_ []{}<>~`+=,.;:/?|
When I initially wrote the patch to add in the extra chars for this specific use I ran 100 tests against the APIs to find what characters it used, which is where this list has come from. But as mentioned it does not include any backslashes as shown in this bug report.
Are mu-plugins included during the install process, if they exist? Would be strange to have one there before install, but it may be possible for wp_generate_password() to be override since it is in pluggable.php.
#5
@
14 years ago
It also uses wp_generate_password id noapi is set. However, wp_generate_password
doesn't allow for backslashes, and I just ran a quick test by fetching http://api.wordpress.org/secret-key/1.1/salt/ 1000 times and got no backslashes there either.
Screenshot of error in text editor