#55937 closed enhancement (fixed)
Salting functions: translate the phrase `put your unique phrase here`.
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 6.1 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | has-patch |
| Focuses: | Cc: |
Description
Please note: this was discussed by the security team and agreed to be suitable as a public hardening ticket.
In wp_salt() WordPress pre-populates the check for duplicate salt values with the default put your unique phrase here. As the wp-config.php file for non-USA-English can be translated in downloaded packages, a translated version of this phrase ought to be in the pre-populated duplicate values array too.
I suggest the pre-populated array be set as follows to account for situations in which the default (English) file is used for a translated package:
<?php $duplicated_keys = array( 'put your unique phrase here' => true, __( 'put your unique phrase here' ) => true, );
It's almost certain that non-English sites failing to change the default values will have them picked up by WordPress as duplicates and replace them with a random key. This is why this can be a public ticket.
Change History (28)
#1
in reply to:
↑ description
;
follow-up:
↓ 2
@
3 years ago
#2
in reply to:
↑ 1
@
3 years ago
Replying to SergeyBiryukov:
I might be missing something, but [19771] / #19599 did aim to account for translated values too, by using a fallback if any value is used more than once, whether translated or not. Does that not work as expected?
Yes, that's working as expected. :)
This is simply to add a little more hardening in case a site owner leaves one (and only one) value as the default. It's an edge case but for the sake of a few characters I think it's one WP ought to cover.
This ticket was mentioned in PR #2793 on WordPress/wordpress-develop by whaze.
3 years ago
#4
- Keywords has-patch added
Trac ticket: https://core.trac.wordpress.org/ticket/55937
#7
@
3 years ago
Thanks for the PR! I think this needs a translator comment to note the relation to wp-config-sample.php and that the string should be translated the same way as in there, for those locales that do translate it.
#9
@
3 years ago
I've left a review on PR 2793 - it looks good to me and ready for commit consideration.
peterwilsoncc commented on PR #2793:
3 years ago
#10
Something that was mentioned in the original ticket is that there placeholder phrase appears elsewhere in WordPress
and
@whaze are you able to look at accounting for those values too? I didn't realise until it was pointed out by another contributor on the ticket.
This ticket was mentioned in PR #3289 on WordPress/wordpress-develop by audrasjb.
3 years ago
#11
Trac ticket: https://core.trac.wordpress.org/ticket/55937
3 years ago
#12
Closing in favor of https://github.com/WordPress/wordpress-develop/pull/3289 which addresses @peterwilsoncc 's comments :)
#13
@
3 years ago
- Keywords commit added
- Owner set to audrasjb
- Status changed from new to accepted
All unit tests just passed.
Goin' to commit that one right now :)
3 years ago
#15
Committed in https://core.trac.wordpress.org/changeset/54249
3 years ago
#16
Committed in https://core.trac.wordpress.org/changeset/54249
#17
@
3 years ago
- Keywords needs-patch added; has-patch commit removed
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening this:
- the translator note needs to be duplicated with the other keys
- an instance of the default key was missed in repair.php
wp_salt()is checking'put your unique phrase here'and__( 'put your unique phrase here' )but the other instances only check the latter. This should be consistent.
This ticket was mentioned in Slack in #core by jeffpaul. View the logs.
3 years ago
This ticket was mentioned in Slack in #cli by johnbillion. View the logs.
3 years ago
#20
@
3 years ago
@audrasjb @whaze are either of you able to craft a patch/PR to handle the reopen notes above?
This ticket was mentioned in PR #3339 on WordPress/wordpress-develop by audrasjb.
3 years ago
#21
- Keywords has-patch added; needs-patch removed
Trac ticket: https://core.trac.wordpress.org/ticket/55937
This ticket was mentioned in PR #3339 on WordPress/wordpress-develop by audrasjb.
3 years ago
#22
Trac ticket: https://core.trac.wordpress.org/ticket/55937
#23
@
3 years ago
Hey there,
@JeffPaul the above PR is my proposal to address what @peterwilsoncc raised.
This ticket was mentioned in PR #3389 on WordPress/wordpress-develop by peterwilsoncc.
3 years ago
#24
https://core.trac.wordpress.org/ticket/55937
This is an alternative to PR #3339 to consider both the english and translated default values as duplicates.
Props @audrasjb as it builds upon the original PR.
#25
@
3 years ago
I've created an alternative follow up pull request that builds on @audrasjb's.
In each location both the default English and default translated strings are considered duplicates, this matches the code in wp_salt().
This allows for site owners who download the English package and then switch language. I do wonder if the code should switch_to_locale( $site_locale ); beforehand but I am not sure how much processing work that is.
peterwilsoncc commented on PR #3389:
3 years ago
#27
Committed in https://core.trac.wordpress.org/changeset/54379 / 09fd082625aefbf3785f2eb7dfd1460f289716dd
Replying to peterwilsoncc:
I might be missing something, but [19771] / #19599 did aim to account for translated values too, by using a fallback if any value is used more than once, whether translated or not. Does that not work as expected?
Also noting that
wp-admin/maint/repair.phphas a slightly different implementation as of [32830] / #20779, and might need some adjustment as well.