From 0675902ec8f7dad5cc12aea5935c6ff2d332e6e3 Mon Sep 17 00:00:00 2001 From: Scott Taylor Date: Wed, 11 Jun 2014 18:35:42 +0000 Subject: [PATCH] Don't use variable variables in `wp_salt()`. See #27881. git-svn-id: https://develop.svn.wordpress.org/trunk@28741 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/pluggable.php | 44 ++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php index 92e234d57b..551fba6ec6 100644 --- a/src/wp-includes/pluggable.php +++ b/src/wp-includes/pluggable.php @@ -1773,45 +1773,51 @@ function wp_salt( $scheme = 'auth' ) { $duplicated_keys = array( 'put your unique phrase here' => true ); foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) { foreach ( array( 'KEY', 'SALT' ) as $second ) { - if ( ! defined( "{$first}_{$second}" ) ) + if ( ! defined( "{$first}_{$second}" ) ) { continue; + } $value = constant( "{$first}_{$second}" ); $duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] ); } } } - $key = $salt = ''; - if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) - $key = SECRET_KEY; - if ( 'auth' == $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) - $salt = SECRET_SALT; + $values = array( + 'key' => '', + 'salt' => '' + ); + if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) { + $values['key'] = SECRET_KEY; + } + if ( 'auth' == $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) { + $values['salt'] = SECRET_SALT; + } if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) ) ) { foreach ( array( 'key', 'salt' ) as $type ) { $const = strtoupper( "{$scheme}_{$type}" ); if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) { - $$type = constant( $const ); - } elseif ( ! $$type ) { - $$type = get_site_option( "{$scheme}_{$type}" ); - if ( ! $$type ) { - $$type = wp_generate_password( 64, true, true ); - update_site_option( "{$scheme}_{$type}", $$type ); + $values[ $type ] = constant( $const ); + } elseif ( ! $values[ $type ] ) { + $values[ $type ] = get_site_option( "{$scheme}_{$type}" ); + if ( ! $values[ $type ] ) { + $values[ $type ] = wp_generate_password( 64, true, true ); + update_site_option( "{$scheme}_{$type}", $values[ $type ] ); } } } } else { - if ( ! $key ) { - $key = get_site_option( 'secret_key' ); - if ( ! $key ) { - $key = wp_generate_password( 64, true, true ); - update_site_option( 'secret_key', $key ); + if ( ! $values['key'] ) { + $values['key'] = get_site_option( 'secret_key' ); + if ( ! $values['key'] ) { + $values['key'] = wp_generate_password( 64, true, true ); + update_site_option( 'secret_key', $values['key'] ); } } - $salt = hash_hmac( 'md5', $scheme, $key ); + $values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] ); } - $cached_salts[ $scheme ] = $key . $salt; + $cached_salts[ $scheme ] = $values['key'] . $values['salt']; /** This filter is documented in wp-includes/pluggable.php */ return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );