[wp-trac] [WordPress Trac] #29518: Fatal error in WP_Session_Tokens::hash_token()
WordPress Trac
noreply at wordpress.org
Thu Sep 4 23:22:43 UTC 2014
#29518: Fatal error in WP_Session_Tokens::hash_token()
----------------------------+--------------------
Reporter: SergeyBiryukov | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.0.1
Component: General | Version: 4.0
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+--------------------
Comment (by nacin):
[attachment:29518.diff] falls back to sha1() if ext/hash is disabled.
For sites that have ext/hash currently:
* No change. Sessions and cookies generated in 4.0 will work after update
to 4.0.1.
For sites that don't have ext/hash:
* No change from 3.9, and sessions simply use sha1.
For sites that loose ext/hash:
* Their sessions and cookies will become invalidated. Also, WTF?
For sites that already updated to 4.0 and are issuing fatal errors:
* Cron won't run any authentication functions, which means an automatic
update can rescue these sites. This is pretty meaningless as it doesn't
affect many people, but still — FTW. It also means we don't need to rush a
4.0.1 for this, which I loathe to do anyway.
For now, the support forums recommendation should be to:
* Change sha256 to sha1 wherever it appears in pluggable.php (twice)
* Change `return hash( 'sha256', $token );` in session.php to `return
sha1( $token );`
* Update to 4.0.1 when it comes out (if it isn't automatic for them) to
get the "proper" changs/
(`function_exists( 'hash' ) ? 'sha256' : 'sha1'` looks really weird and
will need a code comment.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29518#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list