[wp-trac] [WordPress Trac] #56860: Sodium Compat library is improperly loaded

WordPress Trac noreply at wordpress.org
Thu Oct 20 01:20:43 UTC 2022 

#56860: Sodium Compat library is improperly loaded
-------------------------------+-----------------------------
 Reporter:  TimothyBlynJacobs  |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Security           |    Version:  5.2
 Severity:  normal             |   Keywords:
  Focuses:                     |
-------------------------------+-----------------------------
 In #45806 the sodium compat library was added to WordPress. The library is
 only [https://github.com/WordPress/wordpress-
 develop/blob/a7a9e7602c51785de5261c15d8a720c535e829bf/src/wp-
 includes/compat.php#L340 loaded] if the `sodium_crypto_box` function is
 not defined.

 This accounts for scenarios where a user doesn't have Sodium available at
 all in their PHP installation. However, it doesn't accomodate for users on
 PHP 7.2+ that have a Sodium available, but compiled against an older
 libsodium version.

 For example, one of our users has the latest version of the Sodium
 extension available, but v1.0.11 of libsodium. This means that the
 `sodium_crypto_aead_xchacha20poly1305_ietf_encrypt` function is not
 available, since libsodium didn't add support for it until v1.0.12

 The sodium compat library provides a polyfill for this function, but since
 the user's installation has `sodium_crypto_box` defined, WordPress does
 not load the polyfill library at all.

 Based on my reading of the sodium compat library, there would be no harm
 in us ''always'' loading the library. The autoloader is dynamic based on
 the features available, and each polyfill function is wrapped in a
 `function_exists` check.

 However, if we still wanted to conditionally load the polyfill we could
 use a more specific function like `sodium_crypto_stream_xchacha20_xor`.

 Related: https://github.com/WordPress/two-factor/pull/389

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56860>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list