WordPress.org

Make WordPress Core

Opened 11 months ago

Closed 4 months ago

#51549 closed enhancement (fixed)

Update to phpass 0.5

Reported by: ayeshrajans Owned by: desrosj
Milestone: 5.8 Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: has-patch commit
Focuses: Cc:

Description

WordPress currently uses PHPass library version 0.3.

This is over 10 years old now, and the latest version is 0.5. It doesn't dramatically improve the password hashing mechanism as it would have with a password_hash migration. However, I believe updating 0.5 still brings some strict comparison improvements made in the new version.

https://www.openwall.com/phpass/

WordPress's copy of phpass was modified over time.

All changes need to be rebased to the version 0.5 as well.
(patch to follow)

Attachments (2)

51549.patch (6.3 KB) - added by ayeshrajans 11 months ago.
Updated to phpass 0.5 from upstream, and applied wp-specific customizations
51549.diff (6.3 KB) - added by desrosj 4 months ago.

Download all attachments as: .zip

Change History (9)

@ayeshrajans
11 months ago

Updated to phpass 0.5 from upstream, and applied wp-specific customizations

#1 @ayeshrajans
11 months ago

  • Summary changed from Updat to phpass 0.5 to Update to phpass 0.5

#3 @Hareesh Pillai
6 months ago

  • Milestone changed from Awaiting Review to 5.8

Requesting security feedback on this one so that we could move it forward.

#4 @desrosj
4 months ago

Related: #21022, #50027.

Thanks @ayeshrajans!

In the interest of keeping the library as consistent with the upstream library as possible, I think the first WP specific change could probably be omitted in the update. It looks like the PHP4 style constructor has been added to the official library and only the inline comment is different in WP now.

#5 @desrosj
4 months ago

  • Owner set to desrosj
  • Status changed from new to assigned

@desrosj
4 months ago

#6 @desrosj
4 months ago

  • Keywords commit added; 2nd-opinion removed
  • Status changed from assigned to reviewing

I've discussed with some other members of the security team, and this one seems like a fine update.

51549.diff is the same as @ayeshrajans's patch with one exception. I removed the inline comments for the two constructor functions to bring the WordPress copy of the library more inline with the upstream version. When that adjustment was made to Core, the PHP 5 type constructor was not included in the upstream library. Now that it is, I think it makes more sense to remove it in favor of consistency.

Only the last two modifications in your list above should now be relevant.

#7 @desrosj
4 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 51008:

External Libraries: Update the phpass library to version 0.5.

This updates the phpass library from version 0.3 to the latest version of 0.5. This is a minor update that includes some adjustments to be more friendly with newer versions of PHP.

The changes made in [30466] have also been applied to the new version of the library. This should now be the only WordPress specific modification do this library.

Props ayeshrajans, dd32, otto42, desrosj.
Fixes #51549.

Note: See TracTickets for help on using tickets.