Security: Enhance the wp_hash() function to support custom hashing …

…algorithms. The default algorithm remains as md5, but this change allows any algorithm that's supported by `hash_hmac()` to be used instead. Props pushpenderindia, ayeshrajans, debarghyabanerjee, johnbillion Fixes #62005 git-svn-id: https://develop.svn.wordpress.org/trunk@59578 602fd350-edb4-49c9-b593-d223f7449a82
draganescu · Jan 6, 2025 · 3a07176 · 3a07176
1 parent d6aa043
commit 3a07176
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 3 deletions.
diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
@@ -2581,18 +2581,38 @@ function wp_salt( $scheme = 'auth' ) {
 
 if ( ! function_exists( 'wp_hash' ) ) :
 	/**
-	 * Gets hash of given string.
+	 * Gets the hash of the given string.
+	 *
+	 * The default algorithm is md5 but can be changed to any algorithm supported by
+	 * `hash_hmac()`. Use the `hash_hmac_algos()` function to check the supported
+	 * algorithms.
 	 *
 	 * @since 2.0.3
+	 * @since 6.8.0 The `$algo` parameter was added.
+	 *
+	 * @throws InvalidArgumentException if the hashing algorithm is not supported.
 	 *
 	 * @param string $data   Plain text to hash.
 	 * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
+	 * @param string $algo   Hashing algorithm to use. Default: 'md5'.
 	 * @return string Hash of $data.
 	 */
-	function wp_hash( $data, $scheme = 'auth' ) {
+	function wp_hash( $data, $scheme = 'auth', $algo = 'md5' ) {
 		$salt = wp_salt( $scheme );
 
-		return hash_hmac( 'md5', $data, $salt );
+		// Ensure the algorithm is supported by the hash_hmac function.
+		if ( ! in_array( $algo, hash_hmac_algos(), true ) ) {
+			throw new InvalidArgumentException(
+				sprintf(
+					/** translators: 1: Name of a cryptographic hash algorithm. 2: List of supported algorithms. */
+					__( 'Unsupported hashing algorithm: %1$s. Supported algorithms are: %2$s' ),
+					$algo,
+					implode( ', ', hash_hmac_algos() )
+				)
+			);
+		}
+
+		return hash_hmac( $algo, $data, $salt );
 	}
 endif;
 

diff --git a/tests/phpunit/tests/functions/wpHash.php b/tests/phpunit/tests/functions/wpHash.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * Tests for the behavior of `wp_hash()`
+ *
+ * @group functions
+ *
+ * @covers ::wp_hash
+ */
+class Tests_Functions_wpHash extends WP_UnitTestCase {
+
+	/**
+	 * @dataProvider data_wp_hash_uses_specified_algorithm
+	 *
+	 * @ticket 62005
+	 */
+	public function test_wp_hash_uses_specified_algorithm( string $algo, int $expected_length ) {
+		$hash = wp_hash( 'data', 'auth', $algo );
+
+		$this->assertSame( $expected_length, strlen( $hash ) );
+	}
+
+	public function data_wp_hash_uses_specified_algorithm() {
+		return array(
+			array( 'md5', 32 ),
+			array( 'sha1', 40 ),
+			array( 'sha256', 64 ),
+		);
+	}
+
+	/**
+	 * @ticket 62005
+	 */
+	public function test_wp_hash_throws_exception_on_invalid_algorithm() {
+		$this->expectException( 'InvalidArgumentException' );
+
+		wp_hash( 'data', 'auth', 'invalid' );
+	}
+}
diff --git a/tests/phpunit/tests/pluggable/signatures.php b/tests/phpunit/tests/pluggable/signatures.php
@@ -209,6 +209,7 @@ public function get_pluggable_function_signatures() {
 			'wp_hash'                         => array(
 				'data',
 				'scheme' => 'auth',
+				'algo'   => 'md5',
 			),
 			'wp_hash_password'                => array( 'password' ),
 			'wp_check_password'               => array(