[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Wed Apr 24 04:16:22 UTC 2019

#39309: Secure WordPress Against Infrastructure Attacks
 Reporter:  paragoninitiativeenterprises  |       Owner:  pento
     Type:  task (blessed)                |      Status:  assigned
 Priority:  normal                        |   Milestone:  5.2
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:
 Keywords:  has-patch                     |     Focuses:

Comment (by dd32):

 Current State of this ticket:

 The following patches need review and/or commit:
  - [attachment:"39309-phpbug.3.diff"] to disable this for incompatible
 PHP's.[[BR]]Best way to test this is to just verify it's not triggered on
 a 'good' system.
  - [attachment:"39309-signature-urls.2.diff"] to prevent WordPress
 downloading incorrect URLs when searching for a signature file (Review
 needed, seems no-one reviewed [attachment:"39309-signature-urls.diff"] as
 the patch file was incomplete). [[BR]]Best way to test this is to call
 `download_url( "https://downloads.wordpress.org/plugin/hello-
 dolly.1.6.zip?nostats=1", 300, true );` and verify you get the
 `signature_verification_no_signature` error instead of the
 `signature_verification_failed` error code.
  - [attachment:"39309.disable-no-warnings-notice.diff"] to disable the "No
 signature found" warning when installing Plugins, Themes, and other items.
 [[BR]]Best way to test this is to install a plugin while viewing it's
 output, verify that you don't see the "No signature found" message (No
 plugins have signatures currently)
  - https://core.trac.wordpress.org/ticket/46615#comment:14 also needs
 review and commit, the patch there improves Backwards compatibility with
 3rd party update scripts and renames the `$signature_softfail` variable to
 be an on/off switch for signatures. [[BR]]Best way to test this is to call
 `download_url( "https://downloads.wordpress.org/plugin/hello-
 dolly.1.6.zip?nostats=1" );` and verify you get a non-WP_Error object.
  - We'll be updating `wp_trusted_keys()` with a new public key before
 5.2's release - the existing key will be no longer used.

 Unfortunately at 5.2's release we're only going to have Signatures for
 Core Updates packages ready, with themes/plugins/translations to come
 later, which is why [attachment:"39309.disable-no-warnings-notice.diff"]
 is needed.

 It's also likely that we'll change `wp_trusted_keys()` in 5.2.x to have
 separate keys for Core Releases and Plugins/Themes/Translations/etc to
 allow us to apply more fine-grained control, that'll likely also require
 us to add a `$context = core|plugin|theme|translation` parameter or
 similar to switch between different trusted keys and likely also to
 consider revoked keys.
 Some of those improvements might be put in 5.3 instead, as what we
 currently have in `trunk` can support improvements being made in a future
 release without compromising on security or risking a case where updates

Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:85>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list