From 017f5e4aeb1028ace38ccea01fa45e17130a69ab Mon Sep 17 00:00:00 2001 From: nacin Date: Fri, 27 Jan 2012 18:52:20 +0000 Subject: [PATCH] Provide a DB fallback for keys in wp_salt(). Fall back when any secret is used more than once. Change how we detect a localized 'put your unique phrase here' -- eliminate $wp_default_secret_key and introduce $wp_secret_key_default to be added during the localized build process, not by translators. fixes #19599. git-svn-id: http://svn.automattic.com/wordpress/trunk@19771 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/default-constants.php | 8 --- wp-includes/pluggable.php | 97 +++++++++++++------------------ 2 files changed, 40 insertions(+), 65 deletions(-) diff --git a/wp-includes/default-constants.php b/wp-includes/default-constants.php index ebdaa21d41..4e5daabd4d 100644 --- a/wp-includes/default-constants.php +++ b/wp-includes/default-constants.php @@ -140,8 +140,6 @@ function wp_plugin_directory_constants( ) { * @since 3.0.0 */ function wp_cookie_constants( ) { - global $wp_default_secret_key; - /** * Used to guarantee unique hash cookies * @since 1.5 @@ -154,12 +152,6 @@ function wp_cookie_constants( ) { define( 'COOKIEHASH', '' ); } - /** - * Should be exactly the same as the default value of SECRET_KEY in wp-config-sample.php - * @since 2.5.0 - */ - $wp_default_secret_key = 'put your unique phrase here'; - /** * @since 2.0.0 */ diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 030e4535d9..172ab70130 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -1306,75 +1306,58 @@ if ( !function_exists('wp_salt') ) : * * @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for wp-config.php * - * @param string $scheme Authentication scheme + * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce) * @return string Salt value */ -function wp_salt($scheme = 'auth') { - global $wp_default_secret_key; - $secret_key = ''; - if ( defined('SECRET_KEY') && ('' != SECRET_KEY) && ( $wp_default_secret_key != SECRET_KEY) ) - $secret_key = SECRET_KEY; +function wp_salt( $scheme = 'auth' ) { + global $wp_secret_key_default; // This is set for localized builds for versions > 3.4.0. - if ( 'auth' == $scheme ) { - if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) ) - $secret_key = AUTH_KEY; - - if ( defined('AUTH_SALT') && ('' != AUTH_SALT) && ( $wp_default_secret_key != AUTH_SALT) ) { - $salt = AUTH_SALT; - } elseif ( defined('SECRET_SALT') && ('' != SECRET_SALT) && ( $wp_default_secret_key != SECRET_SALT) ) { - $salt = SECRET_SALT; - } else { - $salt = get_site_option('auth_salt'); - if ( empty($salt) ) { - $salt = wp_generate_password( 64, true, true ); - update_site_option('auth_salt', $salt); + static $duplicated_keys; + if ( null === $duplicated_keys ) { + $duplicated_keys = array( 'put your unique phrase here' => true ); + foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) { + foreach ( array( 'KEY', 'SALT' ) as $second ) { + if ( ! defined( "{$first}_{$second}" ) ) + continue; + $value = constant( "{$first}_{$second}" ); + $duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] ); } } - } elseif ( 'secure_auth' == $scheme ) { - if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) ) - $secret_key = SECURE_AUTH_KEY; + if ( ! empty( $wp_secret_key_default ) ) + $duplicated_keys[ $wp_secret_key_default ] = true; + } - if ( defined('SECURE_AUTH_SALT') && ('' != SECURE_AUTH_SALT) && ( $wp_default_secret_key != SECURE_AUTH_SALT) ) { - $salt = SECURE_AUTH_SALT; - } else { - $salt = get_site_option('secure_auth_salt'); - if ( empty($salt) ) { - $salt = wp_generate_password( 64, true, true ); - update_site_option('secure_auth_salt', $salt); - } - } - } elseif ( 'logged_in' == $scheme ) { - if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) ) - $secret_key = LOGGED_IN_KEY; + $key = $salt = ''; + if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) + $key = SECRET_KEY; + if ( 'auth' == $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) + $salt = SECRET_SALT; - if ( defined('LOGGED_IN_SALT') && ('' != LOGGED_IN_SALT) && ( $wp_default_secret_key != LOGGED_IN_SALT) ) { - $salt = LOGGED_IN_SALT; - } else { - $salt = get_site_option('logged_in_salt'); - if ( empty($salt) ) { - $salt = wp_generate_password( 64, true, true ); - update_site_option('logged_in_salt', $salt); - } - } - } elseif ( 'nonce' == $scheme ) { - if ( defined('NONCE_KEY') && ('' != NONCE_KEY) && ( $wp_default_secret_key != NONCE_KEY) ) - $secret_key = NONCE_KEY; - - if ( defined('NONCE_SALT') && ('' != NONCE_SALT) && ( $wp_default_secret_key != NONCE_SALT) ) { - $salt = NONCE_SALT; - } else { - $salt = get_site_option('nonce_salt'); - if ( empty($salt) ) { - $salt = wp_generate_password( 64, true, true ); - update_site_option('nonce_salt', $salt); + if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) ) ) { + foreach ( array( 'key', 'salt' ) as $type ) { + $const = strtoupper( "{$scheme}_{$type}" ); + if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) { + $$type = constant( $const ); + } elseif ( ! $$type ) { + $$type = get_site_option( "{$scheme}_{$type}" ); + if ( ! $$type ) { + $$type = wp_generate_password( 64, true, true ); + update_site_option( "{$scheme}_{$type}", $$type ); + } } } } else { - // ensure each auth scheme has its own unique salt - $salt = hash_hmac('md5', $scheme, $secret_key); + if ( ! $key ) { + $key = get_site_option( 'secret_key' ); + if ( ! $key ) { + $key = wp_generate_password( 64, true, true ); + update_site_option( 'secret_key', $key ); + } + } + $salt = hash_hmac( 'md5', $scheme, $key ); } - return apply_filters('salt', $secret_key . $salt, $scheme); + return apply_filters('salt', $key . $salt, $scheme); } endif;