Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-01-25 01:31:27 +01:00
Code Issues Projects Releases Wiki Activity

Security: Enhance the wp_hash() function to support custom hashing algorithms.

Browse Source 
The default algorithm remains as md5, but this change allows any algorithm that's supported by `hash_hmac()` to be used instead.

Props pushpenderindia, ayeshrajans, debarghyabanerjee, johnbillion

Fixes #62005

Built from https://develop.svn.wordpress.org/trunk@59578


git-svn-id: http://core.svn.wordpress.org/trunk@58964 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn 2025-01-06 15:23:26 +00:00
parent 657321d1ba
commit 0fc42c6443
2 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
wp-includes/pluggable.php
View File

@ -2581,18 +2581,38 @@ endif;
if ( ! function_exists( 'wp_hash' ) ) : if ( ! function_exists( 'wp_hash' ) ) :
/** /**
* Gets hash of given string. * Gets the hash of the given string.
*
* The default algorithm is md5 but can be changed to any algorithm supported by
* `hash_hmac()`. Use the `hash_hmac_algos()` function to check the supported
* algorithms.
* *
* @since 2.0.3 * @since 2.0.3
* @since 6.8.0 The `$algo` parameter was added.
*
* @throws InvalidArgumentException if the hashing algorithm is not supported.
* *
* @param string $data Plain text to hash. * @param string $data Plain text to hash.
* @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce). * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
* @param string $algo Hashing algorithm to use. Default: 'md5'.
* @return string Hash of $data. * @return string Hash of $data.
*/ */
function wp_hash( $data, $scheme = 'auth' ) { function wp_hash( $data, $scheme = 'auth', $algo = 'md5' ) {
$salt = wp_salt( $scheme ); $salt = wp_salt( $scheme );
return hash_hmac( 'md5', $data, $salt ); // Ensure the algorithm is supported by the hash_hmac function.
if ( ! in_array( $algo, hash_hmac_algos(), true ) ) {
throw new InvalidArgumentException(
sprintf(
/** translators: 1: Name of a cryptographic hash algorithm. 2: List of supported algorithms. */
__( 'Unsupported hashing algorithm: %1$s. Supported algorithms are: %2$s' ),
$algo,
implode( ', ', hash_hmac_algos() )
)
);
}
return hash_hmac( $algo, $data, $salt );
} }
endif; endif;

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.8-alpha-59577'; $wp_version = '6.8-alpha-59578';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.