#42431 closed defect (bug) (fixed)
wpdb prepare - {} replaced with % if AUTH_SALT is defined as null or empty string
Reported by: | jsonfry | Owned by: | pento |
---|---|---|---|
Milestone: | 4.9 | Priority: | normal |
Severity: | normal | Version: | 4.8.3 |
Component: | Database | Keywords: | has-patch commit dev-reviewed fixed-major |
Focuses: | Cc: |
Description
In includes/wp-db.php line 1967, the defined
function is used which checks if the constant has been set, but not if it's actually got a (usable) value in it. It could also also check for null / or empty string.
This manifested for us when adding / removing a user role. In our roles we have a user that has no capabilities, and when we added a new role after updating to 4.8.3 the php serialzed array that gets saved to wp_user_roles in the wp_options table has a % instead of a {}, which was pretty fatal when attempting to deserialize it - our site then appeared to have no roles.
(We should have had AUTH_SALT set, but we didn't. We use Bedrock so it was expecting AUTH_SALT as an env var, and setting is regardless.
Attachments (2)
Change History (23)
#3
@
7 years ago
- Milestone changed from Awaiting Review to 4.9
- Owner set to pento
- Status changed from new to assigned
Thank you for the patch, @jsonfry! We addressed the string cast in in #42401, but you're right that we should also check that AUTH_SALT
has a value.
#4
@
7 years ago
- Keywords has-patch dev-feedback commit added
42431.diff updates the patch to apply cleanly against trunk.
This ticket was mentioned in Slack in #core by pento. View the logs.
7 years ago
This ticket was mentioned in Slack in #core-committers by melchoyce. View the logs.
7 years ago
#7
@
7 years ago
- Keywords dev-reviewed added; dev-feedback removed
Looks good and works as I would expect.
Also, the fallback to rand() doesn't work with type checking either as the 3rd param for hash_hmac should be a string, not an int.