[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Thu Apr 18 05:27:15 UTC 2019
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner: pento
Type: task (blessed) | Status: assigned
Priority: normal | Milestone: 5.2
Component: Upgrade/Install | Version: 4.8
Severity: critical | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Comment (by dd32):
Another failure case that's being reported appears to be where the
Signature being validated is the raw contents of a ZIP file, in these
cases however there's no signature available.
It appears to be a case where the download url has a query argument added,
for example `https://wordpress.org/plugins/hello-dolly.zip?nostats=1`
The original code was just suffixing `.sig` to the URL, so it was then
requesting `http://...hello-dolly.zip?nostats=1.sig` which then results in
it double-downloading the ZIP file.
[attachment:"39309-signature-urls.diff"] corrects that by only suffixing
to the path (It keeps any Query arguments in place) and only affecting
download urls which end in `.zip` or `.tar.gz`. Urls such as
`https://api.../download.php?slug=my-private-plugin&auth=123123123` will
therefor not trigger the extra download, but a new filter
`wp_signature_url` is present to allow the plugin to specify where to find
it.
Additionally, it limits the download size to 10KB (which is enough for
100+ signatures) to hopefully limit cases where it does unfortunately
download a ZIP. We can probably safely increase this to 100KB to never
have a problem, but also prevent run-away requests that affect overall
timeouts.
I'm in two minds on the filter, I don't think it's needed as most
implementations (including WordPress.org) will hopefully include the
signature as a HTTP header, but if we're going to request a url, we might
as well request the correct one.
@tellyworth what's your thoughts on adding a filter here?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:80>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list