[wp-trac] [WordPress Trac] #12081: $wp_default_secret_key can't be overridden, posing localization issues
WordPress Trac
wp-trac at lists.automattic.com
Fri Jan 29 18:17:17 UTC 2010
#12081: $wp_default_secret_key can't be overridden, posing localization issues
--------------------------+-------------------------------------------------
Reporter: nacin | Owner: nbachiyski
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: i18n | Version:
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
$wp_default_secret_key is designed to hold the default string for
SECRET_KEY in wp-config-sample.php, which in en_US is 'put your unique
phrase here'.
This is only used in wp_salt() (a pluggable function) to see if the key-
holding constants in wp-config.php were changed.
But in a localized install, 'put your unique phrase here' is translated.
Problem is, $wp_default_secret_key is defined in wp-settings.php (2.9) and
the two localized installs I checked don't override it. (There are no
translator instructions to do so.)
$wp_default_secret_key has since been moved to default-constants.php,
where it is more out of place, since it cannot be overridden without hard-
coding it there or or setting it much later. (No check is done to see if
it is already set before setting the value.)
Security considerations:
In localized installs, $wp_default_secret_key never equals the default
key, which means we treat a default string as if it were unique.
Possible ideas:
- Move $wp_default_secret_key to wp-includes/load.php (all strings that
need to be hard-coded have been moved from wp-settings.php to there) and
add a comment for translators / ensure that translators update the value.
- Probably outside the scope of this ticket, but we should have setup-
config.php {{{wp_remote_get('https://api.wordpress.org/secret-
key/1.1/')}}} and replace the default keys on install.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12081>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list