[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Wed Apr 24 04:16:22 UTC 2019
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner: pento
Type: task (blessed) | Status: assigned
Priority: normal | Milestone: 5.2
Component: Upgrade/Install | Version: 4.8
Severity: critical | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Comment (by dd32):
Current State of this ticket:
The following patches need review and/or commit:
- [attachment:"39309-phpbug.3.diff"] to disable this for incompatible
PHP's.[[BR]]Best way to test this is to just verify it's not triggered on
a 'good' system.
- [attachment:"39309-signature-urls.2.diff"] to prevent WordPress
downloading incorrect URLs when searching for a signature file (Review
needed, seems no-one reviewed [attachment:"39309-signature-urls.diff"] as
the patch file was incomplete). [[BR]]Best way to test this is to call
`download_url( "https://downloads.wordpress.org/plugin/hello-
dolly.1.6.zip?nostats=1", 300, true );` and verify you get the
`signature_verification_no_signature` error instead of the
`signature_verification_failed` error code.
- [attachment:"39309.disable-no-warnings-notice.diff"] to disable the "No
signature found" warning when installing Plugins, Themes, and other items.
[[BR]]Best way to test this is to install a plugin while viewing it's
output, verify that you don't see the "No signature found" message (No
plugins have signatures currently)
- https://core.trac.wordpress.org/ticket/46615#comment:14 also needs
review and commit, the patch there improves Backwards compatibility with
3rd party update scripts and renames the `$signature_softfail` variable to
be an on/off switch for signatures. [[BR]]Best way to test this is to call
`download_url( "https://downloads.wordpress.org/plugin/hello-
dolly.1.6.zip?nostats=1" );` and verify you get a non-WP_Error object.
- We'll be updating `wp_trusted_keys()` with a new public key before
5.2's release - the existing key will be no longer used.
Unfortunately at 5.2's release we're only going to have Signatures for
Core Updates packages ready, with themes/plugins/translations to come
later, which is why [attachment:"39309.disable-no-warnings-notice.diff"]
is needed.
It's also likely that we'll change `wp_trusted_keys()` in 5.2.x to have
separate keys for Core Releases and Plugins/Themes/Translations/etc to
allow us to apply more fine-grained control, that'll likely also require
us to add a `$context = core|plugin|theme|translation` parameter or
similar to switch between different trusted keys and likely also to
consider revoked keys.
Some of those improvements might be put in 5.3 instead, as what we
currently have in `trunk` can support improvements being made in a future
release without compromising on security or risking a case where updates
fail.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:85>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list