[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Mon Dec 18 04:32:38 UTC 2017
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Upgrade/Install | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Comment (by paragoninitiativeenterprises):
A couple of notes about the implementation of the latest batch of patches:
* This imports sodium_compat v1.4.0, which includes 32-bit support (i.e.
Windows + PHP5).
* We're using `ParagonIE_Sodium_File` which allows the verification of
large files on systems with very low memory (megabytes not gigabytes). In
particular, it tries to only buffer 8 KB of data at a given time.
* This allows an arbitrarily long list of public keys to be tested (the
order of the elements in `WP_Upgrader::getPublicKeys()` matters; new keys
should be prepended not appended as time goes on).
This patch set does not include Userbase Consistency Verification. If
Chronicle (https://github.com/paragonie/chronicle) is deemed an acceptable
solution for this requirement, sodium_compat is a pre-requisite.
This patch set does not include update reproducibility, which will require
a separate project entirely.
This patch set does not include theme/plugin signing, but is a step in the
right direction.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list