[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Wed Apr 17 06:08:32 UTC 2019
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner: pento
Type: task (blessed) | Status: assigned
Priority: normal | Milestone: 5.2
Component: Upgrade/Install | Version: 4.8
Severity: critical | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Comment (by dd32):
Replying to [comment:76 dd32]:
> [attachment:"39309-phpbug.diff"] uses the same error/string "unavailable
on this system" and adds an extra conditional of "the opcache must be
enabled" - Turns out it wasn't on my original test system, which is why
it took me longer than i'd have liked to track down the failure.
After more consideration, I'm not sure that conditional is best, it's
trying to be very specific, where as I think we should go with a pretty
broad conditional - Other SAPI's than fpm are affected if opcache is
enabled, and while we can detect the exact conditionals, it's a bit
wack-a-mole, lets just blacklist those PHP's instead for the very small
portion of users who are using it.
I'd suggest we simply reduce the test to this to completely disable the
functionality on potentially affected installs (and in the future, disable
verification checking requirements on an affected install)
{{{
if (
! extension_loaded('sodium') &&
in_array( PHP_VERSION_ID, [70200, 70201, 70202] )
) {
}}}
We could also blacklist 7.3.0 for the `SodiumException` segfault if that's
actually required @paragoninitiativeenterprises , for reference ~15% of
current PHP 7.3 users are on PHP 7.3.0.
{{{
if (
(
! extension_loaded('sodium') &&
in_array( PHP_VERSION_ID, [70200, 70201, 70202] )
) ||
(
extension_loaded( 'sodium' ) &&
PHP_VERSION_ID === 70300
)
) {
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:78>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list