<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[45262] trunk/src/wp-admin/includes: Upgrade/install: fix verification bugs and scale back signature checks.</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/45262">45262</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/45262","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>tellyworth</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2019-04-24 07:43:29 +0000 (Wed, 24 Apr 2019)</dd>
</dl>

<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Upgrade/install: fix verification bugs and scale back signature checks.

This fixes several bugs in the signature verification code:
Disables signature checks on certain incompatible PHP versions that cause math errors when opcache is enabled;
Prevents a spurious URL and subsequent error when downloading a zip file with query arguments;
Prevents errors triggered by third-party upgrade scripts as per <a href="https://core.trac.wordpress.org/ticket/46615">#46615</a>;
Disables signature tests for Plugins, Themes, and Translations, leaving only core updates.

At the 5.2 release the API servers will only provide signatures for core update packages, which is why messages are suppressed for plugins and other package types. Signatures for those other items will become available later.

Props dd32.
See <a href="https://core.trac.wordpress.org/ticket/39309">#39309</a>, <a href="https://core.trac.wordpress.org/ticket/46615">#46615</a></pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpadminincludesclasscoreupgraderphp">trunk/src/wp-admin/includes/class-core-upgrader.php</a></li>
<li><a href="#trunksrcwpadminincludesclasswpupgraderphp">trunk/src/wp-admin/includes/class-wp-upgrader.php</a></li>
<li><a href="#trunksrcwpadminincludesfilephp">trunk/src/wp-admin/includes/file.php</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpadminincludesclasscoreupgraderphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/includes/class-core-upgrader.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/includes/class-core-upgrader.php       2019-04-24 05:40:01 UTC (rev 45261)
+++ trunk/src/wp-admin/includes/class-core-upgrader.php 2019-04-24 07:43:29 UTC (rev 45262)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -121,7 +121,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                        return new WP_Error( 'locked', $this->strings['locked'] );
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $download = $this->download_package( $current->packages->$to_download );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $download = $this->download_package( $current->packages->$to_download, true );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                // Allow for signature soft-fail.
</span><span class="cx" style="display: block; padding: 0 10px">                // WARNING: This may be removed in the future.
</span></span></pre></div>
<a id="trunksrcwpadminincludesclasswpupgraderphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/includes/class-wp-upgrader.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/includes/class-wp-upgrader.php 2019-04-24 05:40:01 UTC (rev 45261)
+++ trunk/src/wp-admin/includes/class-wp-upgrader.php   2019-04-24 07:43:29 UTC (rev 45262)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -244,11 +244,12 @@
</span><span class="cx" style="display: block; padding: 0 10px">         *
</span><span class="cx" style="display: block; padding: 0 10px">         * @since 2.8.0
</span><span class="cx" style="display: block; padding: 0 10px">         *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * @param string $package The URI of the package. If this is the full path to an
-        *                        existing local file, it will be returned untouched.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * @param string $package          The URI of the package. If this is the full path to an
+        *                                 existing local file, it will be returned untouched.
+        * @param bool   $check_signatures Whether to validate file signatures. Default false.
</ins><span class="cx" style="display: block; padding: 0 10px">          * @return string|WP_Error The full path to the downloaded package file, or a WP_Error object.
</span><span class="cx" style="display: block; padding: 0 10px">         */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        public function download_package( $package ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function download_package( $package, $check_signatures = false ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                /**
</span><span class="cx" style="display: block; padding: 0 10px">                 * Filters whether to return the package.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -275,7 +276,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                $this->skin->feedback( 'downloading_package', $package );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $download_file = download_url( $package, 300, true );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $download_file = download_url( $package, 300, $check_signatures );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                if ( is_wp_error( $download_file ) && ! $download_file->get_error_data( 'softfail-filename' ) ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        return new WP_Error( 'download_failed', $this->strings['download_failed'], $download_file->get_error_message() );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -730,22 +731,26 @@
</span><span class="cx" style="display: block; padding: 0 10px">                 * Download the package (Note, This just returns the filename
</span><span class="cx" style="display: block; padding: 0 10px">                 * of the file if the package is a local file)
</span><span class="cx" style="display: block; padding: 0 10px">                 */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $download = $this->download_package( $options['package'] );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $download = $this->download_package( $options['package'], true );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                // Allow for signature soft-fail.
</span><span class="cx" style="display: block; padding: 0 10px">                // WARNING: This may be removed in the future.
</span><span class="cx" style="display: block; padding: 0 10px">                if ( is_wp_error( $download ) && $download->get_error_data( 'softfail-filename' ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        // Outout the failure error as a normal feedback, and not as an error:
-                       $this->skin->feedback( $download->get_error_message() );
</del><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        // Report this failure back to WordPress.org for debugging purposes.
-                       wp_version_check(
-                               array(
-                                       'signature_failure_code' => $download->get_error_code(),
-                                       'signature_failure_data' => $download->get_error_data(),
-                               )
-                       );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                 // Don't output the 'no signature could be found' failure message for now.
+                       if ( 'signature_verification_no_signature' != $download->get_error_code() || WP_DEBUG ) {
+                               // Outout the failure error as a normal feedback, and not as an error:
+                               $this->skin->feedback( $download->get_error_message() );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                                // Report this failure back to WordPress.org for debugging purposes.
+                               wp_version_check(
+                                       array(
+                                               'signature_failure_code' => $download->get_error_code(),
+                                               'signature_failure_data' => $download->get_error_data(),
+                                       )
+                               );
+                       }
+
</ins><span class="cx" style="display: block; padding: 0 10px">                         // Pretend this error didn't happen.
</span><span class="cx" style="display: block; padding: 0 10px">                        $download = $download->get_error_data( 'softfail-filename' );
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span></span></pre></div>
<a id="trunksrcwpadminincludesfilephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/includes/file.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/includes/file.php      2019-04-24 05:40:01 UTC (rev 45261)
+++ trunk/src/wp-admin/includes/file.php        2019-04-24 07:43:29 UTC (rev 45262)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -968,12 +968,12 @@
</span><span class="cx" style="display: block; padding: 0 10px">  * @since 2.5.0
</span><span class="cx" style="display: block; padding: 0 10px">  * @since 5.2.0 Signature Verification with SoftFail was added.
</span><span class="cx" style="display: block; padding: 0 10px">  *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $url                The URL of the file to download.
- * @param int    $timeout            The timeout for the request to download the file. Default 300 seconds.
- * @param bool   $signature_softfail Whether to allow Signature Verification to softfail. Default true.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $url                    The URL of the file to download.
+ * @param int    $timeout                The timeout for the request to download the file. Default 300 seconds.
+ * @param bool   $signature_verification Whether to perform Signature Verification. Default false.
</ins><span class="cx" style="display: block; padding: 0 10px">  * @return string|WP_Error Filename on success, WP_Error on failure.
</span><span class="cx" style="display: block; padding: 0 10px">  */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function download_url( $url, $timeout = 300, $signature_softfail = true ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function download_url( $url, $timeout = 300, $signature_verification = false ) {
</ins><span class="cx" style="display: block; padding: 0 10px">         //WARNING: The file is not automatically deleted, The script must unlink() the file.
</span><span class="cx" style="display: block; padding: 0 10px">        if ( ! $url ) {
</span><span class="cx" style="display: block; padding: 0 10px">                return new WP_Error( 'http_no_url', __( 'Invalid URL Provided.' ) );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1037,26 +1037,54 @@
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        /**
-        * Filters the list of hosts which should have Signature Verification attempted on.
-        *
-        * @since 5.2.0
-        *
-        * @param array List of hostnames.
-        */
-       $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
-       $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // If the caller expects signature verification to occur, check to see if this URL supports it.
+       if ( $signature_verification ) {
+               /**
+                * Filters the list of hosts which should have Signature Verification attempteds on.
+                *
+                * @since 5.2.0
+                *
+                * @param array List of hostnames.
+                */
+               $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
+               $signature_verification = in_array( parse_url( $url, PHP_URL_HOST ), $signed_hostnames, true );
+       }
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        // Perform the valiation
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // Perform signature valiation if supported.
</ins><span class="cx" style="display: block; padding: 0 10px">         if ( $signature_verification ) {
</span><span class="cx" style="display: block; padding: 0 10px">                $signature = wp_remote_retrieve_header( $response, 'x-content-signature' );
</span><span class="cx" style="display: block; padding: 0 10px">                if ( ! $signature ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        // Retrieve signatures from a file if the header wasn't included.
</span><span class="cx" style="display: block; padding: 0 10px">                        // WordPress.org stores signatures at $package_url.sig
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        $signature_request = wp_safe_remote_get( $url . '.sig' );
-                       if ( ! is_wp_error( $signature_request ) && 200 === wp_remote_retrieve_response_code( $signature_request ) ) {
-                               $signature = explode( "\n", wp_remote_retrieve_body( $signature_request ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+                       $signature_url = false;
+                       $url_path      = parse_url( $url, PHP_URL_PATH );
+                       if ( substr( $url_path, -4 ) == '.zip' || substr( $url_path, -7 ) == '.tar.gz' ) {
+                               $signature_url = str_replace( $url_path, $url_path . '.sig', $url );
</ins><span class="cx" style="display: block; padding: 0 10px">                         }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+                       /**
+                        * Filter the URL where the signature for a file is located.
+                        *
+                        * @since 5.2
+                        *
+                        * @param false|string $signature_url The URL where signatures can be found for a file, or false if none are known.
+                        * @param string $url                 The URL being verified.
+                        */
+                       $signature_url = apply_filters( 'wp_signature_url', $signature_url, $url );
+
+                       if ( $signature_url ) {
+                               $signature_request = wp_safe_remote_get(
+                                       $signature_url,
+                                       array(
+                                               'limit_response_size' => 10 * 1024, // 10KB should be large enough for quite a few signatures.
+                                       )
+                               );
+
+                               if ( ! is_wp_error( $signature_request ) && 200 === wp_remote_retrieve_response_code( $signature_request ) ) {
+                                       $signature = explode( "\n", wp_remote_retrieve_body( $signature_request ) );
+                               }
+                       }
</ins><span class="cx" style="display: block; padding: 0 10px">                 }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                // Perform the checks.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1075,7 +1103,7 @@
</span><span class="cx" style="display: block; padding: 0 10px">                         * @param bool   $signature_softfail If a softfail is allowed.
</span><span class="cx" style="display: block; padding: 0 10px">                         * @param string $url                The url being accessed.
</span><span class="cx" style="display: block; padding: 0 10px">                         */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                        apply_filters( 'wp_signature_softfail', $signature_softfail, $url )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                 apply_filters( 'wp_signature_softfail', true, $url )
</ins><span class="cx" style="display: block; padding: 0 10px">                 ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        $signature_verification->add_data( $tmpfname, 'softfail-filename' );
</span><span class="cx" style="display: block; padding: 0 10px">                } else {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1147,6 +1175,30 @@
</span><span class="cx" style="display: block; padding: 0 10px">                );
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        // Check for a edge-case affecting PHP Maths abilities
+       if (
+               ! extension_loaded( 'sodium' ) &&
+               in_array( PHP_VERSION_ID, [ 70200, 70201, 70202 ], true ) &&
+               extension_loaded( 'opcache' )
+       ) {
+               // Sodium_Compat isn't compatible with PHP 7.2.0~7.2.2 due to a bug in the PHP Opcache extension, bail early as it'll fail.
+               // https://bugs.php.net/bug.php?id=75938
+
+               return new WP_Error(
+                       'signature_verification_unsupported',
+                       sprintf(
+                               /* translators: 1: The filename of the package. */
+                               __( 'The authenticity of %1$s could not be verified as signature verification is unavailable on this system.' ),
+                               '<span class="code">' . esc_html( $filename_for_errors ) . '</span>'
+                       ),
+                       array(
+                               'php'    => phpversion(),
+                               'sodium' => defined( 'SODIUM_LIBRARY_VERSION' ) ? SODIUM_LIBRARY_VERSION : ( defined( 'ParagonIE_Sodium_Compat::VERSION_STRING' ) ? ParagonIE_Sodium_Compat::VERSION_STRING : false ),
+                       )
+               );
+
+       }
+
</ins><span class="cx" style="display: block; padding: 0 10px">         if ( ! $signatures ) {
</span><span class="cx" style="display: block; padding: 0 10px">                return new WP_Error(
</span><span class="cx" style="display: block; padding: 0 10px">                        'signature_verification_no_signature',
</span></span></pre>
</div>
</div>

</body>
</html>