Skip to content

Salting functions: translate the phrase put your unique phrase here.#2793

Closed
whaze wants to merge 4 commits intoWordPress:trunkfrom
whaze:55937
Closed

Salting functions: translate the phrase put your unique phrase here.#2793
whaze wants to merge 4 commits intoWordPress:trunkfrom
whaze:55937

Conversation

@whaze
Copy link
Copy Markdown

@whaze whaze commented Jun 7, 2022

Trac ticket: https://core.trac.wordpress.org/ticket/55937

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

peterwilsoncc
peterwilsoncc reviewed Jun 7, 2022
View reviewed changes
@whaze @peterwilsoncc
Update src/wp-includes/pluggable.php
be1e6f9 
thx Peter

Co-authored-by: Peter Wilson <519727+peterwilsoncc@users.noreply.github.com>
costdev
costdev approved these changes Sep 19, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@costdev costdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this PR @whaze! This looks good to me! 👍

@peterwilsoncc
Copy link
Copy Markdown
Contributor

peterwilsoncc commented Sep 20, 2022

Something that was mentioned in the original ticket is that there placeholder phrase appears elsewhere in WordPress

wordpress-develop/src/wp-admin/maint/repair.php

Line 40 in 2b0e2d6

$default_key = 'put your unique phrase here';

and

wordpress-develop/src/wp-includes/class-wp-recovery-mode-cookie-service.php

Lines 200 to 234 in 5ebe289

private function recovery_mode_hash( $data ) {
if ( ! defined( 'AUTH_KEY' ) || AUTH_KEY === 'put your unique phrase here' ) {
$auth_key = get_site_option( 'recovery_mode_auth_key' );
if ( ! $auth_key ) {
if ( ! function_exists( 'wp_generate_password' ) ) {
require_once ABSPATH . WPINC . '/pluggable.php';
}
$auth_key = wp_generate_password( 64, true, true );
update_site_option( 'recovery_mode_auth_key', $auth_key );
}
} else {
$auth_key = AUTH_KEY;
}
if ( ! defined( 'AUTH_SALT' ) || AUTH_SALT === 'put your unique phrase here' || AUTH_SALT === $auth_key ) {
$auth_salt = get_site_option( 'recovery_mode_auth_salt' );
if ( ! $auth_salt ) {
if ( ! function_exists( 'wp_generate_password' ) ) {
require_once ABSPATH . WPINC . '/pluggable.php';
}
$auth_salt = wp_generate_password( 64, true, true );
update_site_option( 'recovery_mode_auth_salt', $auth_salt );
}
} else {
$auth_salt = AUTH_SALT;
}
$secret = $auth_key . $auth_salt;
return hash_hmac( 'sha1', $data, $secret );
}

@whaze are you able to look at accounting for those values too? I didn't realise until it was pointed out by another contributor on the ticket.

@audrasjb
Copy link
Copy Markdown
Contributor

audrasjb commented Sep 20, 2022

Closing in favor of #3289 which addresses @peterwilsoncc 's comments :)

@audrasjb audrasjb closed this Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterwilsoncc peterwilsoncc peterwilsoncc left review comments

@costdev costdev costdev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@whaze @peterwilsoncc @audrasjb @costdev