Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WordPress 4.7.4: File integrity issues? #32

Closed
strarsis opened this issue Apr 22, 2017 · 9 comments
Closed

WordPress 4.7.4: File integrity issues? #32

strarsis opened this issue Apr 22, 2017 · 9 comments

Comments

@strarsis
Copy link

strarsis commented Apr 22, 2017

After upgrading from WordPress 4.7.3 to 4.7.4 I get core file integrity issues reported by WordFence.
Hence I downloaded the official WordPress 4.7.4 release zip and composer-required the johnpbloch/wordpress package and then compared both directories.

And indeed (besides extra misc files like composer.json) there are differences
in minified JavaScript files and inlined code parts in some PHP files
between official WordPress and composer package releases.
About 100 files are affected.

Example: Deminified core.min.js files from both WordPress 4.7.4 sources:

@retlehs
Copy link

retlehs commented Apr 22, 2017

also seeing this

vagrant@example:/srv/www/example.com/current$ wp core verify-checksums
Warning: File doesn't verify against checksum: wp-admin/js/user-profile.min.js
Warning: File doesn't verify against checksum: wp-admin/js/word-count.min.js
Warning: File doesn't verify against checksum: wp-admin/js/updates.min.js
Warning: File doesn't verify against checksum: wp-admin/js/postbox.min.js
Warning: File doesn't verify against checksum: wp-admin/js/nav-menu.min.js
Warning: File doesn't verify against checksum: wp-admin/js/theme.min.js
Warning: File doesn't verify against checksum: wp-admin/js/press-this.min.js
Warning: File doesn't verify against checksum: wp-admin/js/link.min.js
Warning: File doesn't verify against checksum: wp-admin/js/post.min.js
Warning: File doesn't verify against checksum: wp-admin/js/inline-edit-post.min.js
Warning: File doesn't verify against checksum: wp-admin/js/dashboard.min.js
Warning: File doesn't verify against checksum: wp-admin/js/tags.min.js
Warning: File doesn't verify against checksum: wp-admin/js/comment.min.js
Warning: File doesn't verify against checksum: wp-admin/js/common.min.js
Warning: File doesn't verify against checksum: wp-admin/js/revisions.min.js
Warning: File doesn't verify against checksum: wp-admin/js/image-edit.min.js
Warning: File doesn't verify against checksum: wp-admin/js/widgets.min.js
Warning: File doesn't verify against checksum: wp-admin/js/customize-nav-menus.min.js
Warning: File doesn't verify against checksum: wp-admin/js/custom-background.min.js
Warning: File doesn't verify against checksum: wp-admin/js/svg-painter.min.js
Warning: File doesn't verify against checksum: wp-admin/js/customize-widgets.min.js
Warning: File doesn't verify against checksum: wp-admin/js/editor-expand.min.js
Warning: File doesn't verify against checksum: wp-admin/js/color-picker.min.js
Warning: File doesn't verify against checksum: wp-admin/js/gallery.min.js
Warning: File doesn't verify against checksum: wp-admin/js/tags-box.min.js
Warning: File doesn't verify against checksum: wp-admin/js/password-strength-meter.min.js
Warning: File doesn't verify against checksum: wp-admin/js/editor.min.js
Warning: File doesn't verify against checksum: wp-admin/js/user-suggest.min.js
Warning: File doesn't verify against checksum: wp-admin/js/edit-comments.min.js
Warning: File doesn't verify against checksum: wp-admin/js/customize-controls.min.js
Warning: File doesn't verify against checksum: wp-admin/js/tags-suggest.min.js
Warning: File doesn't verify against checksum: wp-admin/css/themes.min.css
Warning: File doesn't verify against checksum: wp-admin/css/themes-rtl.min.css
Warning: File doesn't verify against checksum: wp-includes/js/media-audiovideo.min.js
Warning: File doesn't verify against checksum: wp-includes/js/customize-preview.min.js
Warning: File doesn't verify against checksum: wp-includes/js/media-views.min.js
Warning: File doesn't verify against checksum: wp-includes/js/autosave.min.js
Warning: File doesn't verify against checksum: wp-includes/js/twemoji.min.js
Warning: File doesn't verify against checksum: wp-includes/js/media-editor.min.js
Warning: File doesn't verify against checksum: wp-includes/js/plupload/handlers.min.js
Warning: File doesn't verify against checksum: wp-includes/js/plupload/wp-plupload.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wp-emoji.min.js
Warning: File doesn't verify against checksum: wp-includes/js/customize-base.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wp-custom-header.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wplink.min.js
Warning: File doesn't verify against checksum: wp-includes/js/utils.min.js
Warning: File doesn't verify against checksum: wp-includes/js/customize-selective-refresh.min.js
Warning: File doesn't verify against checksum: wp-includes/js/json2.min.js
Warning: File doesn't verify against checksum: wp-includes/js/heartbeat.min.js
Warning: File doesn't verify against checksum: wp-includes/js/media-models.min.js
Warning: File doesn't verify against checksum: wp-includes/js/colorpicker.min.js
Warning: File doesn't verify against checksum: wp-includes/js/admin-bar.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/datepicker.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/dialog.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/progressbar.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/mouse.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/slider.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/droppable.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/position.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/draggable.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/effect.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/spinner.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/accordion.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/resizable.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/widget.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/autocomplete.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/core.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/menu.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/tabs.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/sortable.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/tooltip.min.js
Warning: File doesn't verify against checksum: wp-includes/js/jquery/ui/button.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wp-pointer.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wp-embed-template.min.js
Warning: File doesn't verify against checksum: wp-includes/js/shortcode.min.js
Warning: File doesn't verify against checksum: wp-includes/js/quicktags.min.js
Warning: File doesn't verify against checksum: wp-includes/js/imagesloaded.min.js
Warning: File doesn't verify against checksum: wp-includes/js/mediaelement/wp-playlist.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wp-emoji-release.min.js
Warning: File doesn't verify against checksum: wp-includes/js/mce-view.min.js
Warning: File doesn't verify against checksum: wp-includes/js/customize-models.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wp-emoji-loader.min.js
Warning: File doesn't verify against checksum: wp-includes/js/customize-loader.min.js
Warning: File doesn't verify against checksum: wp-includes/js/hoverIntent.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tinymce/plugins/wordpress/plugin.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tinymce/plugins/wpdialogs/plugin.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tinymce/plugins/wplink/plugin.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tinymce/plugins/wptextpattern/plugin.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tinymce/plugins/wpeditimage/plugin.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tinymce/plugins/wpview/plugin.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tinymce/wp-tinymce.js.gz
Warning: File doesn't verify against checksum: wp-includes/js/wp-api.min.js
Warning: File doesn't verify against checksum: wp-includes/js/customize-preview-nav-menus.min.js
Warning: File doesn't verify against checksum: wp-includes/js/customize-preview-widgets.min.js
Warning: File doesn't verify against checksum: wp-includes/js/wp-embed.min.js
Warning: File doesn't verify against checksum: wp-includes/js/tw-sack.min.js
Warning: File doesn't verify against checksum: wp-includes/js/media-grid.min.js
Warning: File doesn't verify against checksum: wp-includes/formatting.php
Warning: File doesn't verify against checksum: wp-includes/embed.php
Error: WordPress install doesn't verify against checksums.

@johnpbloch
Copy link
Owner

Since I build the core package from source, the compiled and minified scripts and stylesheets have slightly different contents. My package is not the same as the .org package.

If you're interested in reviewing how I'm generating the core package, check out the build script at https://github.com/johnpbloch/build-wp

@strarsis
Copy link
Author

strarsis commented Apr 22, 2017

@johnpbloch: Would it be possible to make the minified files match the checksums?
There are several reasons why this would be much better,
including integrity checks, WAF like WordFence scans.

@johnpbloch
Copy link
Owner

I think it's certainly possible for future tagged versions. It's honestly not a high priority for me. I'd certainly be happy to accept a contribution to the build script if you or another interested person sent in a pull request.

@strarsis
Copy link
Author

strarsis commented Apr 22, 2017

@johnpbloch: I just rebuilt 4.7.4 (using the receipt in the build-wp repository you linked to above) and
now the text files are all identical - so it would work correctly with the current 4.7.4 svn tag.

Interestingly, there are no differences for 4.7.3 between official zip and composer package.

With the last 4.7.4 composer package, only the minified JavaScript files and inlined code parts differed.
The deobfuscated code also differed - maybe the WordPress devs changed something last-minute and re-tagged? It is unlikely the uglify minifier being not deterministic using same input source.

@strarsis
Copy link
Author

strarsis commented Apr 26, 2017

@johnpbloch: I think an additional release (with an extra segment after patch level,
deviating from semver but following the composer version specs/examples (see https://getcomposer.org/doc/articles/versions.md)) will use the now
correct 4.7.4 svn tagged commit and result in a correct composer package and
an update-successor the current 4.7.4 composer package.

@johnpbloch
Copy link
Owner

@strarsis I took some time to adjust the build script today. Tags no longer build from develop.svn but rather simply use the zip file distributed on wordpress.org for building tagged releases. What that means is that going forward, this shouldn't be a problem again, and releases should get to packagist faster to boot.
I'm going to look into getting a new set of releases tagged in the repo, probably doing a X.X.X.1 pattern to avoid needing to delete tags.

@ollietreend
Copy link

Great work @johnpbloch – thanks for this!

I came here wondering why my app has just updated to 4.7.4.1 despite that not being an official release – I was a little confused, but this makes sense. Using the official ZIP releases makes sense rather than rebuilding from source.

@wunc
Copy link

wunc commented May 17, 2017

I just want to note a side-effect: since the twentyeleven through twentyfourteen themes are not included in the zip (but are in the source), they are no longer installed since @johnpbloch updated the build script to build from the zip instead of the source. (At least I think that's the reason.)

This threw me for a bit of a loop because I had activated them on a network site, and a couple of the sub-sites that were using them broke when I updated today. I had to manually add them back from wpackagist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants