vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 14:20:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Upgrade/Install: Don't run signature verify on slow 32-bit systems.

Browse Source 
The sodium_compat library can be very slow for certain operations on 32-bit architectures, which can lead to web server timeouts while attempting to verify an update. This adds a runtime speed check to skip signature verification on systems that would otherwise time out. Includes simple unit tests.

Props dd32, paragoninitiativeenterprises.
See #47186.


git-svn-id: https://develop.svn.wordpress.org/trunk@45345 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Alex Shiels
2019-05-17 11:05:45 +00:00
parent 3360d50bc2
commit 85a90cb244
2 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
tests/phpunit/tests/file.php
View File

@@ -183,4 +183,63 @@ class Tests_File extends WP_UnitTestCase {
);
}
/**
* @ticket 47186
*/
function test_file_signature_functions_as_expected() {
$file = wp_tempnam();
file_put_contents( $file, 'WordPress' );
// The signature of 'WordPress' after SHA384 hashing, for verification against the key within self::filter_trust_plus85Tq_key().
$expected_signature = 'PmNv0b1ziwJAsVhjdpjd4+PQZidZWSlBm5b+GbbwE9m9HVKDFhEyvyRTHkRYOLypB8P2YvbW7CoOMZqGh8mEAA==';
add_filter( 'wp_trusted_keys', array( $this, 'filter_trust_plus85Tq_key' ) );
// Measure how long the call takes.
$timer_start = microtime( 1 );
$verify = verify_file_signature( $file, $expected_signature, 'WordPress' );
$timer_end = microtime( 1 );
$time_taken = ( $timer_end - $timer_start );
unlink( $file );
remove_filter( 'wp_trusted_keys', array( $this, 'filter_trust_plus85Tq_key' ) );
// verify_file_signature() should intentionally never take more than 10s to run.
$this->assertLessThan( 10, $time_taken, 'verify_file_signature() took longer than 10 seconds.' );
// Check to see if the system parameters prevent signature verifications.
if ( is_wp_error( $verify ) && 'signature_verification_unsupported' == $verify->get_error_code() ) {
$this->markTestSkipped( 'This system does not support Signature Verification.' );
}
$this->assertNotWPError( $verify );
$this->assertTrue( $verify );
}
/**
* @ticket 47186
*/
function test_file_signature_expected_failure() {
$file = wp_tempnam();
file_put_contents( $file, 'WordPress' );
// Test an invalid signature.
$expected_signature = base64_encode( str_repeat( 'A', SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES ) );
$verify = verify_file_signature( $file, $expected_signature, 'WordPress' );
unlink( $file );
if ( is_wp_error( $verify ) && 'signature_verification_unsupported' == $verify->get_error_code() ) {
$this->markTestSkipped( 'This system does not support Signature Verification.' );
}
$this->assertWPError( $verify );
$this->assertEquals( 'signature_verification_failed', $verify->get_error_code() );
}
function filter_trust_plus85Tq_key( $keys ) {
// A static once-off key used to verify verify_file_signature() works as expected.
$keys[] = '+85TqMhxQVAYVW4BSCVkJQvZH4q7z8I9lePbvngvf7A=';
return $keys;
}
}