[wp-trac] [WordPress Trac] #55536: Make sure wp_generate_password() never generates a string containing 0x to prevent blocking from mod_security
WordPress Trac
noreply at wordpress.org
Wed Apr 6 13:32:53 UTC 2022
#55536: Make sure wp_generate_password() never generates a string containing 0x to
prevent blocking from mod_security
--------------------------+-----------------------------
Reporter: ReneHermi | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
A string/password that is generated by wp_generate_password() can lead to
a block of requests by security plugins or modules like mod_security()
because it's possible that a generated string can contain the string part
0x.
This part triggers the server security module because literals that start
with 0x are hexadecimal integers.
Best would be to prevent this character combination in core of this method
by doing a simple replace of 0x with something like a0 or by removing the
character x from the list of available characters.
This is no theoretical topic: wp_generate_password() is used sometimes to
create api access keys. We know from one client that one of his access
keys created by wp_generate_password() led to a completely break of his
application because his access token was a string like
6zx**0X**F5CzCqwkKu2RbKU9KuCtEV0OR6uyBcw4BZx345345345QPzBj
A password, as it is user input should never contain a phrase like 0x if
you want to make sure the generated string will pass security modules.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55536>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list