mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-07-03 00:30:11 +00:00
Constant time for wp_verify_nonce().
git-svn-id: https://develop.svn.wordpress.org/trunk@29382 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -671,7 +671,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') {
|
||||
$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
|
||||
$hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $token, $key );
|
||||
|
||||
if ( hash_hmac( 'sha256', $hmac, $key ) !== hash_hmac( 'sha256', $hash, $key ) ) {
|
||||
if ( ! hash_equals( $hash, $hmac ) ) {
|
||||
/**
|
||||
* Fires if a bad authentication cookie hash is encountered.
|
||||
*
|
||||
@@ -1711,12 +1711,14 @@ function wp_verify_nonce($nonce, $action = -1) {
|
||||
$i = wp_nonce_tick();
|
||||
|
||||
// Nonce generated 0-12 hours ago
|
||||
if ( $nonce === substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ) ) {
|
||||
$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
|
||||
if ( hash_equals( $expected, $nonce ) ) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Nonce generated 12-24 hours ago
|
||||
if ( $nonce === substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ) ) {
|
||||
$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
|
||||
if ( hash_equals( $expected, $nonce ) ) {
|
||||
return 2;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user