'shuffle-salts' corrupts wp-config.php if semi-colon in original salt

Question

'shuffle-salts' corrupts wp-config.php if semi-colon in original salt

cldevs opened this issue 5 years ago · comments

Summary:
"wp config shuffle-salts" creates a malformed wp-config.php file if a semi-colon is contained in the original salt

Steps to reproduce:
Place a semi-colon in one of the salts in wp-config.php and run "wp config shuffle-salts"

Severity - High (Breaks site as it is unable to load wp-config.php)

Frankie Jarrett · Answer 1 · Tue Feb 05 2019 09:48:36 GMT+0800 (China Standard Time)

@cldevs What version of WP-CLI are you running? We fixed a similar issue in the transformer prior to 2.1.0: #9

CL Web Developers · Answer 2 · Tue Feb 05 2019 09:54:11 GMT+0800 (China Standard Time)

Sorry I missed that. It's v2.1.0

Daniel Bachhuber · Answer 3 · Mon Feb 18 2019 22:49:37 GMT+0800 (China Standard Time)

@fjarrett Were you able to reproduce this issue?

Ivan Akulov · Answer 4 · Sun Feb 24 2019 08:57:40 GMT+0800 (China Standard Time)

I’m able to reproduce what seems to be the same issue with wp cli 2.1.0.

My steps to reproduce:

# Prepare the environment
mkdir /tmp/wp
cd /tmp/wp
wp core download
wp config create --dbname=testing --dbuser=wp --skip-check

# Reproduce the bug
wp config set CSS_RULE '@import url("some-file.css");'
wp config set CSS_RULE '@import url("some-file.css");'

Expected result: the wp-config.php file should include the following:

define( 'CSS_RULE', '@import url("some-file.css");' );

Actual result: the wp-config.php file includes the following:

define( 'CSS_RULE', '@import url("some-file.css");');' );

Alain Schlesser · Answer 5 · Sun Feb 24 2019 15:51:50 GMT+0800 (China Standard Time)

Thanks, @iamakulov, I can reproduce with the steps you've described as well.

Alain Schlesser · Answer 6 · Sat Mar 30 2019 20:25:18 GMT+0800 (China Standard Time)

Additional comment from @cldevs from #15:

Again, the issue is that a semi-colon somewhere in the string of a value fools the transformer into thinking that's the end of the key-value declaration which results in a corrupt wp-config.php file and winds up taking down a Wordpress site.

WPConfigTransformer.php - Line 199-203

$contents = preg_replace(
   sprintf( '/(?<=^|;|<?php\s|<?\s)(\s*?)%s/m', preg_quote( trim( $old_src ), '/' ) ),
   '$1' . str_replace( '$', '$', trim( $new_src ) ),
   $this->wp_config_src
);

Is this just a matter of including the ending newline character at the end of each search string (e.g. after the semi-colon) so it matches right to the end of the line instead of stopping part-way? Then including a newline character at the end of the replace? Any other implications here?

Alain Schlesser · Answer 7 · Mon Apr 01 2019 23:14:41 GMT+0800 (China Standard Time)

@fjarrett Any specific thoughts on what the best approach is here? As we already had a similar fix, there's the chance we're circling around...

Frankie Jarrett · Answer 8 · Tue Apr 30 2019 00:32:01 GMT+0800 (China Standard Time)

@schlessera I followed the steps above and I cannot reproduce this issue.

Alain Schlesser · Answer 9 · Tue Apr 30 2019 22:43:47 GMT+0800 (China Standard Time)

@fjarrett I cannot replicate either with the latest release (v2.2.0).

@cldevs Is this still an issue for you? I think it might have been fixed in the mean time but the fix was only included with the latest release.

CL Web Developers · Answer 10 · Wed May 01 2019 08:11:00 GMT+0800 (China Standard Time)

Confirmed this is now fixed in v2.2.0! Thanks!