diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-29 00:18:32 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-29 04:24:42 +0200 |
| commit | 724ed08df02546fea2ab38613d615dd47461528c (patch) | |
| tree | 090a29aca03e4c69313a92d1f9df45a3d565de0d /nixos | |
| parent | acf171303eb625776d21f8a3366b911d4d1c2e75 (diff) | |
nixos/wordpress: regenerate secret keys if misspelled key name is found
A secret key generated by the nixos module was misspelled, which could
possibly impact the security of session cookies.
To recover from this situation we will wipe all security keys that were
previously generated by the NixOS module, when the misspelled one is
found. This will result in all session cookies being invalidated. This
is confirmed by the wordpress documentation:
> You can change these at any point in time to invalidate all existing
> cookies. This does mean that all users will have to login again.
https://wordpress.org/support/article/editing-wp-config-php/#security-keys
Meanwhile this issue shouldn't be too grave, since the salting function
of wordpress will rely on the concatenation of both the user-provided
and automatically generated values, that are stored in the database.
> Secret keys are located in two places: in the database and in the
> wp-config.php file. The secret key in the database is randomly
> generated and will be appended to the secret keys in wp-config.php.
https://developer.wordpress.org/reference/functions/wp_salt/
Fixes: 2adb03fdaea6186299c6ff578bb6814d8f3bb30b ("nixos/wordpress:
generate secrets locally")
Reported-by: Moritz Hedtke <Moritz.Hedtke@t-online.de>
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/web-apps/wordpress.nix | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index f251cfe32db64..775ecb3acaf0d 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -61,8 +61,10 @@ let ?> ''; - secretsVars = [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ]; + secretsVars = [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ]; secretsScript = hostStateDir: '' + # The match in this line is not a typo, see https://github.com/NixOS/nixpkgs/pull/124839 + grep -q "LOOGGED_IN_KEY" "${hostStateDir}/secret-keys.php" && rm "${hostStateDir}/secret-keys.php" if ! test -e "${hostStateDir}/secret-keys.php"; then umask 0177 echo "<?php" >> "${hostStateDir}/secret-keys.php" |