[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Thu Apr 18 05:27:15 UTC 2019 

#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  pento
     Type:  task (blessed)                |      Status:  assigned
 Priority:  normal                        |   Milestone:  5.2
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+-----------------------

Comment (by dd32):

 Another failure case that's being reported appears to be where the
 Signature being validated is the raw contents of a ZIP file, in these
 cases however there's no signature available.

 It appears to be a case where the download url has a query argument added,
 for example `https://wordpress.org/plugins/hello-dolly.zip?nostats=1`
 The original code was just suffixing `.sig` to the URL, so it was then
 requesting `http://...hello-dolly.zip?nostats=1.sig` which then results in
 it double-downloading the ZIP file.

 [attachment:"39309-signature-urls.diff"] corrects that by only suffixing
 to the path (It keeps any Query arguments in place) and only affecting
 download urls which end in `.zip` or `.tar.gz`. Urls such as
 `https://api.../download.php?slug=my-private-plugin&auth=123123123` will
 therefor not trigger the extra download, but a new filter
 `wp_signature_url` is present to allow the plugin to specify where to find
 it.
 Additionally, it limits the download size to 10KB (which is enough for
 100+ signatures) to hopefully limit cases where it does unfortunately
 download a ZIP. We can probably safely increase this to 100KB to never
 have a problem, but also prevent run-away requests that affect overall
 timeouts.

 I'm in two minds on the filter, I don't think it's needed as most
 implementations (including WordPress.org) will hopefully include the
 signature as a HTTP header, but if we're going to request a url, we might
 as well request the correct one.
 @tellyworth what's your thoughts on adding a filter here?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:80>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list