Release version 0.1.3.2#501
Merged
Merged
Conversation
Collaborator
randhirinsta
commented
May 13, 2026
randhirinsta
commented
- Security: Migration files on the destination site now use unguessable hashed filenames for stronger privacy.
- Improved: Each push migration automatically cleans up leftover artifact files at start for a cleaner destination site.
…nloadable by URL
Every push migration writes db.sql, iwp-db-received.sql, iwp-push-log.txt
to ABSPATH and db-<timestamp>.sql to wp-content. All four are static names
in the docroot, so anyone who knows the destination domain can GET them
directly. The encrypted credentials sidecar migrate-push-db-<N>.txt had
only 5 hex chars of filename entropy.
- Suffix four files with sha256(migrate_key)[0..16] (64 bits of entropy):
- ABSPATH/db.sql -> db-<key_hash>.sql
- ABSPATH/iwp-db-received.sql -> iwp-db-received-<key_hash>.sql
- ABSPATH/iwp-push-log.txt -> iwp-push-log-<key_hash>.txt
- WP_CONTENT_DIR/db-<ts>.sql -> db-<key_hash>-<ts>.sql
Wire format header X-File-Relative-Path: db.sql is unchanged — the
destination remaps internally, so older source plugins interop with
no coordinated upgrade.
- migrate-push-db-<5chars>.txt naming is intentionally NOT changed:
source and destination plugins compute it identically, and changing it
would break mixed-version pushes. Content is AES-256-CBC encrypted with
the full 160-bit migrate_key so filename entropy is not load-bearing.
- New helpers in includes/functions-pull-push.php (procedural so iwp-dest
can call them without bootstrapping WordPress):
- iwp_get_migration_key_hash()
- iwp_get_migration_file_paths()
- iwp_delete_migration_files()
- iwp_cleanup_stale_migration_files() — self-healing orphan sweep with
a 6h mtime threshold and current-migration exclusion, so concurrent
migrations can never race.
- iwp-dest invokes the orphan sweep inside the $_POST['check'] block (the
first call of every push), and passes the hash to iwp_backup_wp_database().
- InstaWP_Tools::clean_iwp_files_dir() extended with broad globs
(iwp-*.sql, iwp-*.txt, db*.sql in both ABSPATH and wp-content) so it
catches BOTH legacy plain names AND new hashed names — in-flight
migrations during the plugin upgrade are still cleaned up cleanly.
- No register_shutdown_function / no chmod 0600. Shutdown handlers
would race with successful mid-flight chunk writes; tightening perms
to 0600 can prevent the WP-context cleanup from deleting files
written by iwp-dest on suEXEC/suPHP hosts. Cleanup is layered:
primary API call on success, orphan sweep on the next push, plus the
unguessable filename in between.
- Tooltip for instawp_keep_db_sql_after_migration no longer references
the literal db.sql filename since the on-disk name is now hashed.
Verified with helper unit tests (deterministic hash, distinct keys,
idempotent delete, sweep skips fresh files, sweep keeps within-threshold,
sweep deletes stale, exclude_hash protects current migration, broad globs
match both legacy and hashed names).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…anup The encrypted credentials sidecar migrate-push-db-<5chars>.txt and the legacy catch-all instawp-sql-* were only being deleted by the API-driven clean_iwp_files_dir(). On a failed migration that never reached that endpoint, the sidecar lingered indefinitely. Adds both patterns to iwp_cleanup_stale_migration_files so the next push migration's startup sweep reclaims them. Still bounded by the same 6h mtime threshold so a concurrent in-flight migration cannot race. The sidecar's naming scheme uses a 5-char raw-key prefix rather than the sha256 hash, so it can't participate in the exclude_hash protection — mtime is the sole guard, which is fine in practice because the sidecar is uploaded by the source at migration start (mtime ~= request start). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bump Stable tag to 0.1.3.2. Customer-facing changelog summarizes the push-migration security and cleanup work shipped in this version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Matches the Stable tag and changelog entry in readme.txt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix: hash push-migration artifacts on destination so they are not downloadable by URL
Contributor
|
Claude finished @randhirinsta's task —— View job Pull Request Review CompleteContext loaded:
Review Todo List:
✅ Overall Assessment: EXCELLENTThis PR implements a critical security hardening feature with excellent engineering practices. The changes demonstrate strong adherence to architectural principles and security best practices. 🔒 Security ImprovementsCritical Security Enhancement
Backward Compatibility
🧹 Automatic Cleanup SystemSelf-Healing Architecture
🏗️ Architectural Excellence✅ STRONG ADHERENCE TO CORE PRINCIPLES1. Single Source of Truth (SSOT)
2. DRY (Don't Repeat Yourself)
3. Separation of Concerns (SoC)
4. Proper Abstraction
📋 Code Quality Assessment✅ Strengths
✅ WordPress Standards Compliance
🔧 Implementation Detailsiwp-dest/index.php Changes// Lines 28-32: Per-migration filename suffix generation
$migration_key_hash = iwp_get_migration_key_hash( $migrate_key );
$log_file_path = $root_dir_path . DIRECTORY_SEPARATOR . 'iwp-push-log-' . $migration_key_hash . '.txt';
$received_db_path = $root_dir_path . DIRECTORY_SEPARATOR . 'iwp-db-received-' . $migration_key_hash . '.sql';
// Lines 127-134: Secure db.sql handling
$file_save_path = $root_dir_path . DIRECTORY_SEPARATOR . 'db-' . $migration_key_hash . '.sql';functions-pull-push.php Enhancements
class-instawp-tools.php Improvements
🚀 Performance & Reliability
🔍 Minor ObservationsSuggestions for Future Enhancement
Code Style Notes
🎯 Recommendation: APPROVEThis is exemplary work that significantly enhances security while maintaining backward compatibility. The implementation demonstrates:
The PR is ready for merge with confidence. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.