The `sodium_compat` library can be very slow for certain operations on 32-bit architectures, which can lead to web server timeouts while attempting to verify an update. This adds a runtime speed check to skip signature verification on systems that would otherwise time out. Includes simple unit tests.
Merges [45345] to the 5.2 branch.
Props dd32, paragoninitiativeenterprises, tellyworth.
Fixes#47186.
Built from https://develop.svn.wordpress.org/branches/5.2@45356
git-svn-id: http://core.svn.wordpress.org/branches/5.2@45167 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes several bugs in the signature verification code:
Disables signature checks on certain incompatible PHP versions that cause math errors when opcache is enabled;
Prevents a spurious URL and subsequent error when downloading a zip file with query arguments;
Prevents errors triggered by third-party upgrade scripts as per #46615;
Disables signature tests for Plugins, Themes, and Translations, leaving only core updates.
At the 5.2 release the API servers will only provide signatures for core update packages, which is why messages are suppressed for plugins and other package types. Signatures for those other items will become available later.
Props dd32.
See #39309, #46615
Built from https://develop.svn.wordpress.org/trunk@45262
git-svn-id: http://core.svn.wordpress.org/trunk@45071 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This adds code for soft verification of signatures for theme and plugin installs and updates, when provided by the update server. This experimental version does not reject unverified packages or failed signatures; it simply reports anonymous errors so we can evaluate its feasibility and detect incompatibilities.
This code relies on the new sodium_compat library for PHP versions prior to 7.2.
Props dd32, paragoninitiativeenterprises.
See #39309, #45806.
Built from https://develop.svn.wordpress.org/trunk@44954
git-svn-id: http://core.svn.wordpress.org/trunk@44785 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, only `a` and `br` tags were allowed in the `value` table cell for each field included in the HTML file generated when a user is exporting their personal data. Instead of relying on a hardcoded list of allowed tags, the `wp_kses()` call in `wp_privacy_generate_personal_data_export_group_html()` will now fallback to the default list of allowed tags (which includes `i`, `strong`, `em`, and other basic HTML formatting tags).
Also, a new context of `personal_data_export` will now be passed to the `wp_kses()` call. As a result, the list of HTML tags and attributes allowed in the export file can now be filtered using the `wp_kses_allowed_html` filter and checking for the `personal_data_export` context.
Fixes#44044.
Props tz-media, desrosj, pento, birgire, garrett-eclipse.
Built from https://develop.svn.wordpress.org/trunk@44824
git-svn-id: http://core.svn.wordpress.org/trunk@44656 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.
This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script.
- Auto-fixable coding standards issues will now cause Travis failures.
Fixes#44600.
Built from https://develop.svn.wordpress.org/trunk@43571
git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In order to get the best result when running `phpcbf` across the codebase, there are some manual tweaks we need to make.
These fall into three categories:
- Fixing incorrectly indented code which has flow-on effects when auto-fixing.
- Tweaking the layout of inline PHP inside HTML tags.
- Moving more complex inline PHP inside HTML tags, to execute earlier.
See #44600.
Built from https://develop.svn.wordpress.org/trunk@43569
git-svn-id: http://core.svn.wordpress.org/trunk@43398 1a063a9b-81f0-0310-95a4-ce76da25c4cd
"Be more discrete." declared matt in [3155], and since then, "Silence is Golden" has been the calling card of placeholder index files. Historically, these have been php files, but [43012] changed that and added index.html files for privacy export generated folders.
The php silence files produce no visible content. This adds consistency with these new html files in that there will be no visible content. Silence will fall when the question is asked.
Fixes#44195.
Props audrasjb, rafsuntaskin, Ov3rfly, johnbillion, pento
Built from https://develop.svn.wordpress.org/trunk@43446
git-svn-id: http://core.svn.wordpress.org/trunk@43273 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, personal data exports were stored in `wp-content/uploads/exports`, which is generic enough that it's likely there are existing folders with that name, either created by plugins or manually by administrators. If that folder were reused by Core, then `wp_privacy_delete_old_export_files()` would delete all of the existing files inside it, which is almost certainly not what the site owner wants or expects.
To avoid that, the folder is being renamed to include a specific reference to Core, and a more verbose description of its purpose. With those factored in, it's very unlikely that there will be any conflicts with existing folders.
The `wp_privacy_exports_dir()` and `wp_privacy_exports_url()` functions were introduced to provide a canonical source for the location, and the `wp_privacy_exports_dir` and `wp_privacy_exports_url` filters were introduced to allow plugins to customize it.
Props johnjamesjacoby, allendav.
Fixes#44091.
Built from https://develop.svn.wordpress.org/trunk@43284
git-svn-id: http://core.svn.wordpress.org/trunk@43113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Whenever an admin initiates a download or email of a personal data export, a fresh copy of the file is generated. Previously, a new filename was used each time, which could lead to situations where a URL that was emailed to a data subject is broken.
That can be avoided by reusing the same filename when building fresh archives.
Props desrosj, tz-media, allendav.
Fixes#43905.
Built from https://develop.svn.wordpress.org/trunk@43180
git-svn-id: http://core.svn.wordpress.org/trunk@43009 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The personal data export and erasure tools allow plugins to register their own callbacks, in order to add additional data to the export and erasure processes. Previously, these were registered without specifying a constant identifier in the array of callbacks. Using mutable integers makes it difficult for plugins to modify the callbacks of other plugins, though.
Using associative array keys instead provides a covenient and reliable way to identify and interact with another plugin's callbacks.
Props desrosj, allendav, ocean90.
Fixes#43931.
Built from https://develop.svn.wordpress.org/trunk@43154
git-svn-id: http://core.svn.wordpress.org/trunk@42983 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This runs immediately after the data export file has been successfully created, allowing plugins to introduce some workflow customizations. For example, a plugin could password-protect the export file, for peace of mind, even though the CSPRN in the filename makes brute force attacks nearly impossible.
See #43546.
Built from https://develop.svn.wordpress.org/trunk@43047
git-svn-id: http://core.svn.wordpress.org/trunk@42876 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The primary means of protecting the files is the CSPRN appended to the filename, but there is no reason to keep the files after the data subject has downloaded them, so deleting them provides an additional layer of protection. Previously this was done from `wp_privacy_generate_personal_data_export_file()`, but that does not guarantee that it will be run regularly, and on smaller sites that could result in export files being exposed for much longer than necessary.
`wp_privacy_delete_old_export_files()` was moved to a front end file, so that it can be called from `cron.php`.
This introduces the `wp_privacy_export_expiration` filter, which allows plugins to customize how long the exports are kept before being deleted.
`index.html` was added to the `$exclusions` parameter of `list_files()` to make sure that it isn't deleted. If it were, then poorly-configured servers would allow the directory to be traversed, exposing all of the exported files.
Props iandunn, desrosj.
See #43546.
Built from https://develop.svn.wordpress.org/trunk@43046
git-svn-id: http://core.svn.wordpress.org/trunk@42875 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`rand()` is deterministic and therefore offers much less protection in this context. `wp_generate_password()` is a convenient wrapper around `wp_rand()`, which uses `random_int()` to generate cryptographically-secure psuedorandom numbers.
See #43546.
Built from https://develop.svn.wordpress.org/trunk@43045
git-svn-id: http://core.svn.wordpress.org/trunk@42874 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The error response body size is limited to 1 KB by default to avoid taking up too much memory. The size can be increased using `download_url_error_max_body_size` filter.
Props soulseekah, campusboy1987, mihdan, SergeyBiryukov.
Fixes#43329.
Built from https://develop.svn.wordpress.org/trunk@42773
git-svn-id: http://core.svn.wordpress.org/trunk@42603 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While intended as a playful error message, `Cheatin’ uh?` can be interpreted as insulting or accusatory in an already stressful situation. This replaces Cheatin’ with more meaningful error messages, depending on the error that occurs.
Props ElectricFeet, EricMeyer, karmatosed, dd32, BandonRandon, melchoyce for language; dmsnell for original patch; peterwilsoncc.
Fixes#38332.
Built from https://develop.svn.wordpress.org/trunk@42648
git-svn-id: http://core.svn.wordpress.org/trunk@42477 1a063a9b-81f0-0310-95a4-ce76da25c4cd