[wp-trac] [WordPress Trac] #53402: Uniform Hashed User Naming Schema for Cross-Domain Interoperability and Transparency in Aggregate Data
WordPress Trac
noreply at wordpress.org
Tue Jun 15 01:06:16 UTC 2021
#53402: Uniform Hashed User Naming Schema for Cross-Domain Interoperability and
Transparency in Aggregate Data
-------------------------------------+-------------------------------------
Reporter: 411c3 | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: trunk
Severity: blocker | Keywords: needs-design-feedback
Focuses: accessibility, privacy, | needs-testing
coding-standards |
-------------------------------------+-------------------------------------
SHA3.org's Single SignOn plugin was presented at the special session on
data provenance to amend NSA's hard problems during the Hot Topics on
Science of Security (HoTSoS) symposium.
I'm the developer in search of urgent support in adapting existing,
critical Internet infrastructure as part of an immediate patch to confront
the unfolding consequences of communications monopolization.
Four hundred fifty-five million WordPress installs exist. One core update
providing users with the option to hash a passphrase into the username
would effectively transform cyberspace into a liquid platform.
Commentary involving specific improvements to code as well as cogent
peripheral considerations are welcome.
ABSTRACT: Open-source publishing platforms lack necessary interoperability
to counterbalance the security risks of network centralization. The
objective aims to bridge the gap between decentralized installs, mixed
data and uniform identity verification across multiple domains.
FOSTA-SESTA compliance, the policy debate over 47 U.S.C. ยง 230, and legal
challenges to existing immunities demand urgent solutions to user content
accountability and transferability ere massive platform seizure or
collapse.
Existing solutions buckle under P.I.I. vulnerabilities in open-source
software operated at every level of business and government.
Incorporating an optional hashed passphrase into the username with future
software updates could resolve these immediate challenges.
We can restore a sense of user agency and digital trust by distilling the
solution space into domain interoperability facilitated by hashed user
signatures to provide transparency and privacy within aggregate data.
''For additional background on the project, you can see that at
https://www.sha3.org.''
''Components of this plugin have been modified and sourced from the
following Questions: Pre-login and pre-registration actions[1], Invalid
username special charachters issue[2], Add action that returns modified
value[3].''
**Figure 1: Vector Poster of Secure Single SignOn.**
[[Image('https://i.stack.imgur.com/pAsAE.png')]]
{{{
sha3-secure-signon.php
<?php
/*
Plugin Name: SHA3 Secure SignOn
Plugin URI: https://www.sha3.org/
Description: Updates native wp-login.php with cross-platform SHA3 and DES
Secure SignOn.
Version: 1.0
Author: USWWN
Author URI: https://www.uswwn.com/
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
*/
// Add jquery for placeholder text and radio deselect
add_action('login_enqueue_scripts', 'wpse_login_enqueue_scripts', 10);
function wpse_login_enqueue_scripts()
{
wp_enqueue_script('sha3.js', plugin_dir_url(__FILE__) . 'js/sha3
-secure-signon.js', array(
'jquery'
) , 1.0);
}
add_action('register_form', 'use_des_tripcode_login');
//Allow hash sign on register and disallow !username
function wscu_sanitize_user($username, $raw_username, $strict)
{
if (isset($_POST['user_login']))
{
//if hash selected
if (($_POST['hash'] == "des_tripcode") || ($_POST['hash'] ==
"sha3_hash"))
{
//sanitize_text_field may limit functionality but necessary
for database security
//not sure if we need to sanitize here or if fine with the
next action. also possible sanitize_user( $username, false );
$username = sanitize_text_field($raw_username);
}
}
return $username;
}
add_filter('sanitize_user', 'wscu_sanitize_user', 10, 3);
//REGISTER
add_action('login_form_register', 'custom_user_login');
function custom_user_login()
{
// make sure regisration form is submitted
if ($_SERVER['REQUEST_METHOD'] != 'POST') return;
// base of user_login
$ulogin = $_POST['user_login'];
//For DES Tripcode
if (isset($_POST['user_login']) && ($_POST['hash'] == "des_tripcode"))
{
//if hash sign, capture nickname
if (strpos($ulogin, '#') !== false)
{
$trippassword = explode('#', $ulogin);
$tripcoded = $trippassword[1];
$name = $trippassword[0];
$salt = substr($tripcoded . "H.", 1, 2);
$salt = preg_replace("[^\.-z]", ".", $salt);
$salt = strtr($salt, ":;<=>?@[\\]^_`", "ABCDEFGabcdef");
$tripusername = substr(crypt($tripcoded, $salt) , -10);
$ulogin = $name . '!' . $tripusername;
//sanitize_text_field may limit functionality but necessary
for database security
$_POST['user_login'] = sanitize_text_field($ulogin);
}elseif
(strpos($ulogin, '#') !== true)
{
$tripcoded = $ulogin;
$salt = substr($tripcoded . "H.", 1, 2);
$salt = preg_replace("[^\.-z]", ".", $salt);
$salt = strtr($salt, ":;<=>?@[\\]^_`", "ABCDEFGabcdef");
$tripusername = substr(crypt($tripcoded, $salt) , -10);
$ulogin = '!' . $tripusername;
$_POST['user_login'] = sanitize_text_field($ulogin);
}
}
//For SHA3 hash
if (isset($_POST['user_login']) && ($_POST['hash'] == "sha3_hash"))
{
$ulogin = hash('sha3-224', $ulogin);
$ulogin = '!!' . $ulogin;
$_POST['user_login'] = sanitize_text_field($ulogin);
}
}
//adds DES option on login and register
add_action('login_form', 'use_des_tripcode_login');
function use_des_tripcode_login()
{
echo '<p><input type="radio" name="hash" class="no_option"
value="des_tripcode"><label for="des_tripcode"> DES
Tripcode</label></p>';
echo '<p><input type="radio" name="hash" class="no_option"
value="sha3_hash"><label for="sha3_hash"> SHA3 Hash</label></p>';
echo '<input type="radio" name="hash" class="no_option" value="null"
style="display:none">';
}
//LOGIN
remove_action('authenticate', 'wp_authenticate_username_password', 20);
add_filter('authenticate', 'des_tripcode_login', 10, 3);
function des_tripcode_login($user, $username, $password)
{
if (isset($_POST['hash']) && ($_POST['hash'] == "des_tripcode"))
{
//pound sign
if (strpos($username, '#') !== false)
{
$trippassword = explode('#', $username);
$tripcoded = $trippassword[1];
$name = $trippassword[0];
$salt = substr($tripcoded . "H.", 1, 2);
$salt = preg_replace("[^\.-z]", ".", $salt);
$salt = strtr($salt, ":;<=>?@[\\]^_`", "ABCDEFGabcdef");
$tripusername = substr(crypt($tripcoded, $salt) , -10);
$username = $name . '!' . $tripusername;;
$username = sanitize_text_field($username);
}
//no pound sign
elseif (strpos($username, '#') !== true)
{
$tripcoded = $username;
$salt = substr($tripcoded . "H.", 1, 2);
$salt = preg_replace("[^\.-z]", ".", $salt);
$salt = strtr($salt, ":;<=>?@[\\]^_`", "ABCDEFGabcdef");
$tripusername = substr(crypt($tripcoded, $salt) , -10);
$username = '!' . $tripusername;
$username = sanitize_text_field($username);
}
}
//For SHA3 hash
if (isset($_POST['hash']) && $_POST['hash'] == "sha3_hash")
{
$username = hash('sha3-224', $username);
$username = '!!' . $username;
$username = sanitize_text_field($username);
}
if (is_a($user, 'WP_User'))
{
return $user;
}
if (empty($username) || empty($password))
{
$error = new WP_Error();
if (empty($username)) $error->add('empty_username',
__('<strong>ERROR</strong>: The username field is empty.'));
if (empty($password)) $error->add('empty_password',
__('<strong>ERROR</strong>: The password field is empty.'));
return $error;
}
$user = get_user_by('login', $username);
if (!$user) return new WP_Error('invalid_username',
sprintf(__('<strong>ERROR</strong>: Invalid username. <a href="%s"
title="Password Lost and Found">Lost your password</a>?') ,
wp_lostpassword_url()));
if (is_multisite())
{
// Is user marked as spam?
if (1 == $user->spam) return new WP_Error('spammer_account',
__('<strong>ERROR</strong>: Your account has been marked as a spammer.'));
// Is a user's blog marked as spam?
if (!is_super_admin($user->ID) && isset($user->primary_blog))
{
$details = get_blog_details($user->primary_blog);
if (is_object($details) && $details->spam == 1) return new
WP_Error('blog_suspended', __('Site Suspended.'));
}
}
$user = apply_filters('wp_authenticate_user', $user, $password);
if (is_wp_error($user)) return $user;
if (!wp_check_password($password, $user->user_pass, $user->ID)) return
new WP_Error('incorrect_password', sprintf(__('<strong>ERROR</strong>: The
password you entered for the username <strong>%1$s</strong> is incorrect.
<a href="%2$s" title="Password Lost and Found">Lost your password</a>?') ,
$username, wp_lostpassword_url()));
return $user;
}
//Reserve exclamations to identify hash - nicknames
add_filter('pre_user_display_name', 'my_displayname_block');
function my_displayname_block($user_display_name)
{
$current_user = wp_get_current_user();
//buddypress optional name filter for exclamation
//if (strpos($_POST['field_1'], "!") !== false)
// {
// wp_die(sprintf(__('<strong>ERROR</strong>: Exclamation
points are reserved to identify SHA3 and DES hashes. <a href="%2$s"
title="Go Back">Go back to profile</a>.') , $username, wp_get_referer()));
// }
$current_usernick = $current_user->nickname;
if (strpos($_POST['nickname'], "!") !== false && ($_POST['nickname']
!= $current_usernick))
{
wp_die(sprintf(__('<strong>ERROR</strong>: Exclamation points are
reserved to identify SHA3 and DES hashes. <a href="%2$s" title="Go
Back">Go back to profile</a>.') , $username, wp_get_referer()));
}
return $user_display_name;
}
//Reserve exclamations to identify hash - first/last names
add_filter('insert_user_meta', function ($meta, $user, $update)
{
if ($update)
{
if (strpos($_POST['first_name'], "!") !== false)
{
wp_die(sprintf(__('<strong>ERROR</strong>: Exclamation points
are reserved to identify SHA3 and DES hashes. <a href="%2$s"
title="Go Back">Go back to profile</a>.') , $username, wp_get_referer()));
}
if (strpos($_POST['last_name'], "!") !== false)
{
wp_die(sprintf(__('<strong>ERROR</strong>: Exclamation points
are reserved to identify SHA3 and DES hashes. <a href="%2$s"
title="Go Back">Go back to profile</a>.') , $username, wp_get_referer()));
}
}
return $meta;
}
, 10, 3);
//edit login text
add_filter('gettext', 'sha3_text');
add_filter('ngettext', 'sha3_text');
function sha3_text($translated)
{
$translated = str_ireplace('Username', 'Secure SignOn', $translated);
return $translated;
}
//add usage info to footer
add_action('login_footer', 'sha3_footer');
function sha3_footer()
{
echo '<div id="login"><p id="nav">For Secure SignOn usage, visit <a
href="https://www.sha3.org">sha3.org</a>.</p></div>';
}
//disable registration bp
function my_disable_bp_registration() {
remove_action( 'bp_init', 'bp_core_wpsignup_redirect' );
remove_action( 'bp_screens', 'bp_core_screen_signup' );
}
add_action( 'bp_loaded', 'my_disable_bp_registration' );
add_filter( 'bp_get_signup_page', "firmasite_redirect_bp_signup_page");
function firmasite_redirect_bp_signup_page($page ){
return bp_get_root_domain() . '/wp-login.php?action=register';
}
//disallow editing of bp name field since
function bpfr_hide_profile_field_group( $retval ) {
if ( bp_is_active( 'xprofile' ) ) :
// hide profile group/field to all except admin
if ( !is_super_admin() ) {
//exlude fields, separated by comma
$retval['exclude_fields'] = '1';
//exlude groups, separated by comma
$retval['exclude_groups'] = '1';
}
return $retval;
endif;
}
add_filter( 'bp_after_has_profile_parse_args',
'bpfr_hide_profile_field_group' );
sha3-secure-signon.js
}}}
{{{
/**
* Custom js file.
*/
jQuery(document).ready(function() {
jQuery('#user_login').attr('placeholder', 'User#Passphrase');
jQuery('#user_email').attr('placeholder', 'User Email');
jQuery('#user_pass').attr('placeholder', 'Site Password');
var checked_val = "null";
jQuery(".no_option").on("click", function() {
if (jQuery(this).val() == checked_val) {
jQuery('input[name=hash][value=null]').prop("checked", true);
checked_val = "null";
} else {
checked_val = jQuery(this).val();
jQuery('input[name=hash][value=null]').propRemove("checked");
}
});
});
}}}
[1]: https://wordpress.stackexchange.com/questions/138951/what-hooks-
should-i-use-for-pre-login-and-pre-registration-actions
[2]: https://wordpress.stackexchange.com/questions/189121/wordpress-4
-invalid-username-special-charachters-issue
[3]: https://wordpress.stackexchange.com/questions/119273/add-action-
which-returns-modified-value
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53402>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list