Opened 2 years ago
#56860 new defect (bug)
Sodium Compat library is improperly loaded
Reported by: | TimothyBlynJacobs | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
In #45806 the sodium compat library was added to WordPress. The library is only loaded if the sodium_crypto_box
function is not defined.
This accounts for scenarios where a user doesn't have Sodium available at all in their PHP installation. However, it doesn't accomodate for users on PHP 7.2+ that have a Sodium available, but compiled against an older libsodium version.
For example, one of our users has the latest version of the Sodium extension available, but v1.0.11 of libsodium. This means that the sodium_crypto_aead_xchacha20poly1305_ietf_encrypt
function is not available, since libsodium didn't add support for it until v1.0.12
The sodium compat library provides a polyfill for this function, but since the user's installation has sodium_crypto_box
defined, WordPress does not load the polyfill library at all.
Based on my reading of the sodium compat library, there would be no harm in us always loading the library. The autoloader is dynamic based on the features available, and each polyfill function is wrapped in a function_exists
check.
However, if we still wanted to conditionally load the polyfill we could use a more specific function like sodium_crypto_stream_xchacha20_xor
.