Make WordPress Core

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#55937 closed enhancement (fixed)

Salting functions: translate the phrase `put your unique phrase here`.

Reported by: peterwilsoncc's profile peterwilsoncc Owned by: audrasjb's profile audrasjb
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:

Description

Please note: this was discussed by the security team and agreed to be suitable as a public hardening ticket.

In wp_salt() WordPress pre-populates the check for duplicate salt values with the default put your unique phrase here. As the wp-config.php file for non-USA-English can be translated in downloaded packages, a translated version of this phrase ought to be in the pre-populated duplicate values array too.

I suggest the pre-populated array be set as follows to account for situations in which the default (English) file is used for a translated package:

<?php
$duplicated_keys = array(
  'put your unique phrase here' => true,
  __( 'put your unique phrase here' ) => true,
);

It's almost certain that non-English sites failing to change the default values will have them picked up by WordPress as duplicates and replace them with a random key. This is why this can be a public ticket.

Change History (28)

#1 in reply to: ↑ description ; follow-up: @SergeyBiryukov
3 years ago

Replying to peterwilsoncc:

In wp_salt() WordPress pre-populates the check for duplicate salt values with the default put your unique phrase here. As the wp-config.php file for non-USA-English can be translated in downloaded packages, a translated version of this phrase ought to be in the pre-populated duplicate values array too.

I might be missing something, but [19771] / #19599 did aim to account for translated values too, by using a fallback if any value is used more than once, whether translated or not. Does that not work as expected?

Also noting that wp-admin/maint/repair.php has a slightly different implementation as of [32830] / #20779, and might need some adjustment as well.

#2 in reply to: ↑ 1 @peterwilsoncc
3 years ago

Replying to SergeyBiryukov:

I might be missing something, but [19771] / #19599 did aim to account for translated values too, by using a fallback if any value is used more than once, whether translated or not. Does that not work as expected?

Yes, that's working as expected. :)

This is simply to add a little more hardening in case a site owner leaves one (and only one) value as the default. It's an edge case but for the sake of a few characters I think it's one WP ought to cover.

#3 @SergeyBiryukov
3 years ago

Ah, it makes sense now :) Thanks!

This ticket was mentioned in PR #2793 on WordPress/wordpress-develop by whaze.


3 years ago
#4

  • Keywords has-patch added

#5 @whaze
3 years ago

  • Keywords has-patch removed

hi, i make a PR with the requested change

#6 @whaze
3 years ago

  • Keywords has-patch added

#7 @SergeyBiryukov
3 years ago

Thanks for the PR! I think this needs a translator comment to note the relation to wp-config-sample.php and that the string should be translated the same way as in there, for those locales that do translate it.

#8 @whaze
3 years ago

thanks @SergeyBiryukov, i updated the PR with a translator comment

#9 @costdev
2 years ago

I've left a review on PR 2793 - it looks good to me and ready for commit consideration.

peterwilsoncc commented on PR #2793:


2 years ago
#10

Something that was mentioned in the original ticket is that there placeholder phrase appears elsewhere in WordPress

https://github.com/WordPress/wordpress-develop/blob/2b0e2d62a28f7c1da98056477416c55d42384939/src/wp-admin/maint/repair.php#L40

and

https://github.com/WordPress/wordpress-develop/blob/5ebe28966e5decbe1862c147bf98db0d8094038e/src/wp-includes/class-wp-recovery-mode-cookie-service.php#L200-L234

@whaze are you able to look at accounting for those values too? I didn't realise until it was pointed out by another contributor on the ticket.

audrasjb commented on PR #2793:


2 years ago
#12

Closing in favor of https://github.com/WordPress/wordpress-develop/pull/3289 which addresses @peterwilsoncc 's comments :)

#13 @audrasjb
2 years ago

  • Keywords commit added
  • Owner set to audrasjb
  • Status changed from new to accepted

All unit tests just passed.
Goin' to commit that one right now :)

#14 @audrasjb
2 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 54249:

Security: Salting functions: translate the phrase "put your unique phrase here".

In wp_salt() WordPress pre-populates the check for duplicate salt values with the default put your unique phrase here. As the wp-config.php file for non-en_US can be translated in downloaded packages, a translated version of this phrase ought to be in the pre-populated duplicate values array too.

Props peterwilsoncc, SergeyBiryukov, whaze, costdev, audrasjb.
Fixes #55937.

#17 @peterwilsoncc
2 years ago

  • Keywords needs-patch added; has-patch commit removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening this:

  • the translator note needs to be duplicated with the other keys
  • an instance of the default key was missed in repair.php
  • wp_salt() is checking 'put your unique phrase here' and __( 'put your unique phrase here' ) but the other instances only check the latter. This should be consistent.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


2 years ago

This ticket was mentioned in Slack in #cli by johnbillion. View the logs.


2 years ago

#20 @JeffPaul
2 years ago

@audrasjb @whaze are either of you able to craft a patch/PR to handle the reopen notes above?

This ticket was mentioned in PR #3339 on WordPress/wordpress-develop by audrasjb.


2 years ago
#21

  • Keywords has-patch added; needs-patch removed

#23 @audrasjb
2 years ago

Hey there,
@JeffPaul the above PR is my proposal to address what @peterwilsoncc raised.

This ticket was mentioned in PR #3389 on WordPress/wordpress-develop by peterwilsoncc.


2 years ago
#24

https://core.trac.wordpress.org/ticket/55937

This is an alternative to PR #3339 to consider both the english and translated default values as duplicates.

Props @audrasjb as it builds upon the original PR.

#25 @peterwilsoncc
2 years ago

I've created an alternative follow up pull request that builds on @audrasjb's.

In each location both the default English and default translated strings are considered duplicates, this matches the code in wp_salt().

This allows for site owners who download the English package and then switch language. I do wonder if the code should switch_to_locale( $site_locale ); beforehand but I am not sure how much processing work that is.

#26 @peterwilsoncc
2 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 54379:

Security: Additional translations of salt default phrase.

Translate the default salt value "put your unique phrase here" in additional locations in which it is used. This further ensures that the default phrase is considered an error in non-english translations of wp-config.php.

Follow-up to [54249].

Props peterwilsoncc, audrasjb, JeffPaul.
Fixes #55937.

peterwilsoncc commented on PR #3389:


2 years ago
#27

Committed in https://core.trac.wordpress.org/changeset/54379 / 09fd082625aefbf3785f2eb7dfd1460f289716dd

Note: See TracTickets for help on using tickets.