#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner: pento
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.2
Component: Upgrade/Install | Version: 4.8
Severity: critical | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Comment (by dd32):
[attachment:"39309.diff"] is the Diff version of
[https://github.com/WordPress/wordpress-
develop/compare/master...dd32:feature/39309-signed-updates my git branch]
as of right now.
There were some logic changes since the above review by
@paragoninitiativeenterprises, namely that I [https://github.com/dd32
/wordpress-develop/commit/799b58e20b7388ab58b1ab8da408ecc2454bb9dc moved
the fetch-signature-from-file functionality] directly into
`download_file()` rather than embedding it into `wp_verify_signature()`. I
also [https://github.com/dd32/wordpress-
develop/commit/107207e26f559f7dd6091e6faa78a53d981e9478 added] a test-key
so that others could experiment with the patch.
To test this, I've enabled signature generation for WordPress.org Themes
using the above key, so you can experiment with installing themes once
patched
{{{
$ curl https://downloads.wordpress.org/theme/twentynineteen.1.3.zip -Is |
grep 'content-signature'
x-content-signature:
Wn9umvWuU2IpqPqWqbccQMmAqeHlIy49HAK8p5FjhWaZ5xeclIt/zBOMvIwKliRmSbzxsiaekom0vowEGV4aDw==
$ curl https://downloads.wordpress.org/theme/twentynineteen.1.3.zip.sig
Wn9umvWuU2IpqPqWqbccQMmAqeHlIy49HAK8p5FjhWaZ5xeclIt/zBOMvIwKliRmSbzxsiaekom0vowEGV4aDw==
}}}
Currently the patch does not output any data in the event the signature is
validated, or validation isn't attempted. I would suggest adding debugging
around line [https://github.com/WordPress/wordpress-
develop/compare/master...dd32:feature/39309-signed-updates#diff-
1fd1fe5d137dd139a76a38ee23536d09R1064 1064 here] if you wish to confirm.
In the event that signature verification is attempted (default, for all
downloads from WordPress.org domains) and signature verification fails,
the failure message will be included in the Update/Install verbose output,
but won't prevent the installation/update of the theme.
When testing, if you copy the link attached to the 'install' button in the
Themes page, you can skip the ajaxification and view the update pages
directly and constantly reloading that page will cause it to re-download
the theme and perform the verifications before failing at "theme is
already installed".
> If anyone is concerned about SHA384 being used in other protocols,
adding domain separation (as simple as using `hash_hmac_file()` with the
HMAC key being a constant specific to WordPress that bears no secrecy
requirements) would ensure that the hashes used in the file verification
are distinct to WordPress.
The above patch, and the WordPress.org implementation has proceeded just
using `hash_file()`, I don't feel greatly swayed either way here, adding a
public hmac key seemingly wouldn't protect us against a brute-force
collision attack and skipping it opens up a wider range of CLI tools for
hashing.
If we do change that hashing mechanism, it should be done at the same time
as we switch from using the current test key to a production key.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:61>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform