X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/0461a5f2e55c8d5f1fde96ca2e83117152573c7d..fa6ee2c363cdfdebcb4b76e4d9c4347a4cb19065:/wp-includes/pluggable.php?ds=sidebyside diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index dae13a4a..8f3a5de6 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -72,9 +72,8 @@ if ( !function_exists('get_currentuserinfo') ) : * @since 0.71 * * @uses $current_user Checks if the current user is set - * @uses wp_validate_auth_cookie() Retrieves current logged in user. * - * @return bool|null False on XML-RPC Request and invalid auth cookie. Null when current user set. + * @return null|false False on XML-RPC Request and invalid auth cookie. Null when current user set. */ function get_currentuserinfo() { global $current_user; @@ -233,11 +232,31 @@ function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() * @param array $args A compacted array of wp_mail() arguments, including the "to" email, * subject, message, headers, and attachments values. */ - extract( apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) ) ); + $atts = apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) ); - if ( !is_array($attachments) ) - $attachments = explode( "\n", str_replace( "\r\n", "\n", $attachments ) ); + if ( isset( $atts['to'] ) ) { + $to = $atts['to']; + } + + if ( isset( $atts['subject'] ) ) { + $subject = $atts['subject']; + } + + if ( isset( $atts['message'] ) ) { + $message = $atts['message']; + } + + if ( isset( $atts['headers'] ) ) { + $headers = $atts['headers']; + } + if ( isset( $atts['attachments'] ) ) { + $attachments = $atts['attachments']; + } + + if ( ! is_array( $attachments ) ) { + $attachments = explode( "\n", str_replace( "\r\n", "\n", $attachments ) ); + } global $phpmailer; // (Re)create it, if it's gone missing @@ -340,7 +359,7 @@ function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() * Some hosts will block outgoing mail from this address if it doesn't exist but * there's no easy alternative. Defaulting to admin_email might appear to be another * option but some hosts may refuse to relay mail from an unknown domain. See - * http://trac.wordpress.org/ticket/5007. + * https://core.trac.wordpress.org/ticket/5007. */ if ( !isset( $from_email ) ) { @@ -566,6 +585,7 @@ if ( !function_exists('wp_logout') ) : * @since 2.5.0 */ function wp_logout() { + wp_destroy_current_session(); wp_clear_auth_cookie(); /** @@ -608,13 +628,16 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') { return false; } - extract($cookie_elements, EXTR_OVERWRITE); - - $expired = $expiration; + $scheme = $cookie_elements['scheme']; + $username = $cookie_elements['username']; + $hmac = $cookie_elements['hmac']; + $token = $cookie_elements['token']; + $expired = $expiration = $cookie_elements['expiration']; // Allow a grace period for POST and AJAX requests - if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) + if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) { $expired += HOUR_IN_SECONDS; + } // Quick check to see if an honest cookie has expired if ( $expired < time() ) { @@ -644,8 +667,11 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') { $pass_frag = substr($user->user_pass, 8, 4); - $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); - $hash = hash_hmac('md5', $username . '|' . $expiration, $key); + $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme ); + + // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. + $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; + $hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key ); if ( ! hash_equals( $hash, $hmac ) ) { /** @@ -659,8 +685,16 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') { return false; } - if ( $expiration < time() ) // AJAX/POST grace period set above + $manager = WP_Session_Tokens::get_instance( $user->ID ); + if ( ! $manager->verify( $token ) ) { + do_action( 'auth_cookie_bad_session_token', $cookie_elements ); + return false; + } + + // AJAX/POST grace period set above + if ( $expiration < time() ) { $GLOBALS['login_grace_period'] = 1; + } /** * Fires once an authentication cookie has been validated. @@ -685,17 +719,29 @@ if ( !function_exists('wp_generate_auth_cookie') ) : * @param int $user_id User ID * @param int $expiration Cookie expiration in seconds * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in - * @return string Authentication cookie contents + * @param string $token User's session token to use for this cookie + * @return string Authentication cookie contents. Empty string if user does not exist. */ -function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') { +function wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth', $token = '' ) { $user = get_userdata($user_id); + if ( ! $user ) { + return ''; + } + + if ( ! $token ) { + $manager = WP_Session_Tokens::get_instance( $user_id ); + $token = $manager->create( $expiration ); + } $pass_frag = substr($user->user_pass, 8, 4); - $key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme); - $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key); + $key = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme ); - $cookie = $user->user_login . '|' . $expiration . '|' . $hash; + // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. + $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; + $hash = hash_hmac( $algo, $user->user_login . '|' . $expiration . '|' . $token, $key ); + + $cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash; /** * Filter the authentication cookie. @@ -706,8 +752,9 @@ function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') { * @param int $user_id User ID. * @param int $expiration Authentication cookie expiration in seconds. * @param string $scheme Cookie scheme used. Accepts 'auth', 'secure_auth', or 'logged_in'. + * @param string $token User's session token used. */ - return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme ); + return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme, $token ); } endif; @@ -749,12 +796,13 @@ function wp_parse_auth_cookie($cookie = '', $scheme = '') { } $cookie_elements = explode('|', $cookie); - if ( count($cookie_elements) != 3 ) + if ( count( $cookie_elements ) !== 4 ) { return false; + } - list($username, $expiration, $hmac) = $cookie_elements; + list( $username, $expiration, $token, $hmac ) = $cookie_elements; - return compact('username', 'expiration', 'hmac', 'scheme'); + return compact( 'username', 'expiration', 'token', 'hmac', 'scheme' ); } endif; @@ -770,6 +818,8 @@ if ( !function_exists('wp_set_auth_cookie') ) : * * @param int $user_id User ID * @param bool $remember Whether to remember the user + * @param mixed $secure Whether the admin cookies should only be sent over HTTPS. + * Default is_ssl(). */ function wp_set_auth_cookie($user_id, $remember = false, $secure = '') { if ( $remember ) { @@ -795,8 +845,12 @@ function wp_set_auth_cookie($user_id, $remember = false, $secure = '') { $expire = 0; } - if ( '' === $secure ) + if ( '' === $secure ) { $secure = is_ssl(); + } + + // Frontend cookie is secure when the auth cookie is secure and the site's home URL is forced HTTPS. + $secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME ); /** * Filter whether the connection is secure. @@ -813,11 +867,11 @@ function wp_set_auth_cookie($user_id, $remember = false, $secure = '') { * * @since 3.1.0 * - * @param bool $cookie Whether to use a secure cookie when logged-in. - * @param int $user_id User ID. - * @param bool $secure Whether the connection is secure. + * @param bool $secure_logged_in_cookie Whether to use a secure cookie when logged-in. + * @param int $user_id User ID. + * @param bool $secure Whether the connection is secure. */ - $secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', false, $user_id, $secure ); + $secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure ); if ( $secure ) { $auth_cookie_name = SECURE_AUTH_COOKIE; @@ -827,8 +881,11 @@ function wp_set_auth_cookie($user_id, $remember = false, $secure = '') { $scheme = 'auth'; } - $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme); - $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in'); + $manager = WP_Session_Tokens::get_instance( $user_id ); + $token = $manager->create( $expiration ); + + $auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token ); + $logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token ); /** * Fires immediately before the authentication cookie is set. @@ -1007,8 +1064,8 @@ if ( !function_exists('check_admin_referer') ) : * * @since 1.2.0 * - * @param string $action Action nonce - * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5) + * @param int|string $action Action nonce + * @param string $query_arg Where to look for nonce in $_REQUEST (since 2.5) */ function check_admin_referer($action = -1, $query_arg = '_wpnonce') { if ( -1 == $action ) @@ -1041,8 +1098,8 @@ if ( !function_exists('check_ajax_referer') ) : * * @since 2.0.3 * - * @param string $action Action nonce - * @param string $query_arg where to look for nonce in $_REQUEST (since 2.5) + * @param int|string $action Action nonce + * @param string $query_arg Where to look for nonce in $_REQUEST (since 2.5) */ function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) { $nonce = ''; @@ -1133,7 +1190,7 @@ if ( !function_exists('wp_sanitize_redirect') ) : * @return string redirect-sanitized URL **/ function wp_sanitize_redirect($location) { - $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!]|i', '', $location); + $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '', $location); $location = wp_kses_no_null($location); // remove %0d and %0a from location @@ -1157,8 +1214,6 @@ if ( !function_exists('wp_safe_redirect') ) : * * @since 2.3.0 * - * @uses wp_validate_redirect() To validate the redirect is to an allowed host. - * * @return void Does not return anything **/ function wp_safe_redirect($location, $status = 302) { @@ -1327,9 +1382,9 @@ function wp_notify_postauthor( $comment_id, $deprecated = null ) { $notify_message = sprintf( __( 'New trackback on your post "%s"' ), $post->post_title ) . "\r\n"; /* translators: 1: website name, 2: author IP, 3: author domain */ $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; - $notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n"; - $notify_message .= __('Excerpt: ') . "\r\n" . $comment->comment_content . "\r\n\r\n"; - $notify_message .= __('You can see all trackbacks on this post here: ') . "\r\n"; + $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; + $notify_message .= sprintf( __( 'Comment: %s' ), $comment->comment_content ) . "\r\n\r\n"; + $notify_message .= __( 'You can see all trackbacks on this post here:' ) . "\r\n"; /* translators: 1: blog name, 2: post title */ $subject = sprintf( __('[%1$s] Trackback: "%2$s"'), $blogname, $post->post_title ); break; @@ -1337,21 +1392,21 @@ function wp_notify_postauthor( $comment_id, $deprecated = null ) { $notify_message = sprintf( __( 'New pingback on your post "%s"' ), $post->post_title ) . "\r\n"; /* translators: 1: comment author, 2: author IP, 3: author domain */ $notify_message .= sprintf( __('Website: %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; - $notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n"; - $notify_message .= __('Excerpt: ') . "\r\n" . sprintf('[...] %s [...]', $comment->comment_content ) . "\r\n\r\n"; - $notify_message .= __('You can see all pingbacks on this post here: ') . "\r\n"; + $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; + $notify_message .= sprintf( __( 'Comment: %s' ), $comment->comment_content ) . "\r\n\r\n"; + $notify_message .= __( 'You can see all pingbacks on this post here:' ) . "\r\n"; /* translators: 1: blog name, 2: post title */ $subject = sprintf( __('[%1$s] Pingback: "%2$s"'), $blogname, $post->post_title ); break; default: // Comments $notify_message = sprintf( __( 'New comment on your post "%s"' ), $post->post_title ) . "\r\n"; /* translators: 1: comment author, 2: author IP, 3: author domain */ - $notify_message .= sprintf( __('Author : %1$s (IP: %2$s , %3$s)'), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; - $notify_message .= sprintf( __('E-mail : %s'), $comment->comment_author_email ) . "\r\n"; - $notify_message .= sprintf( __('URL : %s'), $comment->comment_author_url ) . "\r\n"; - $notify_message .= sprintf( __('Whois : http://whois.arin.net/rest/ip/%s'), $comment->comment_author_IP ) . "\r\n"; - $notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n"; - $notify_message .= __('You can see all comments on this post here: ') . "\r\n"; + $notify_message .= sprintf( __( 'Author: %1$s (IP: %2$s , %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; + $notify_message .= sprintf( __( 'E-mail: %s' ), $comment->comment_author_email ) . "\r\n"; + $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; + $notify_message .= sprintf( __( 'Whois: %s' ), "http://whois.arin.net/rest/ip/{$comment->comment_author_IP}" ) . "\r\n"; + $notify_message .= sprintf( __('Comment: %s' ), $comment->comment_content ) . "\r\n\r\n"; + $notify_message .= __( 'You can see all comments on this post here:' ) . "\r\n"; /* translators: 1: blog name, 2: post title */ $subject = sprintf( __('[%1$s] Comment: "%2$s"'), $blogname, $post->post_title ); break; @@ -1429,7 +1484,7 @@ if ( !function_exists('wp_notify_moderator') ) : * * @since 1.0.0 * - * @uses $wpdb + * @global wpdb $wpdb WordPress database abstraction object. * * @param int $comment_id Comment ID * @return bool Always returns true @@ -1611,7 +1666,7 @@ if ( !function_exists('wp_nonce_tick') ) : * * @since 2.5.0 * - * @return int + * @return float Float value rounded up to the next highest integer. */ function wp_nonce_tick() { /** @@ -1636,11 +1691,12 @@ if ( !function_exists('wp_verify_nonce') ) : * * @since 2.0.3 * - * @param string $nonce Nonce that was used in the form to verify + * @param string $nonce Nonce that was used in the form to verify * @param string|int $action Should give context to what is taking place and be the same when nonce was created. * @return bool Whether the nonce check passed or failed. */ -function wp_verify_nonce($nonce, $action = -1) { +function wp_verify_nonce( $nonce, $action = -1 ) { + $nonce = (string) $nonce; $user = wp_get_current_user(); $uid = (int) $user->ID; if ( ! $uid ) { @@ -1655,16 +1711,21 @@ function wp_verify_nonce($nonce, $action = -1) { $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); } + if ( empty( $nonce ) ) { + return false; + } + + $token = wp_get_session_token(); $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago - $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 ); + $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ); if ( hash_equals( $expected, $nonce ) ) { return 1; } // Nonce generated 12-24 hours ago - $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 ); + $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); if ( hash_equals( $expected, $nonce ) ) { return 2; } @@ -1676,12 +1737,12 @@ endif; if ( !function_exists('wp_create_nonce') ) : /** - * Creates a random, one time use token. + * Creates a cryptographic token tied to a specific action, user, and window of time. * * @since 2.0.3 * * @param string|int $action Scalar value to add context to the nonce. - * @return string The one use form token + * @return string The token. */ function wp_create_nonce($action = -1) { $user = wp_get_current_user(); @@ -1691,9 +1752,10 @@ function wp_create_nonce($action = -1) { $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); } + $token = wp_get_session_token(); $i = wp_nonce_tick(); - return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10); + return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); } endif; @@ -1711,16 +1773,14 @@ if ( !function_exists('wp_salt') ) : * {@link https://api.wordpress.org/secret-key/1.1/salt/ secret key created} just * for you. * - * - * define('AUTH_KEY', ' XakmM%G4Yt>f`z]MON'); - * define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~'); - * define('LOGGED_IN_KEY', '|i|Ux`9z7X>QYR0Z_XnZ@|'); - * define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW'); - * define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W*c(u`g~EJBf#8u#R{mUEZrozmm'); - * define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT'); - * + * define('AUTH_KEY', ' XakmM%G4Yt>f`z]MON'); + * define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~'); + * define('LOGGED_IN_KEY', '|i|Ux`9z7X>QYR0Z_XnZ@|'); + * define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW'); + * define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W*c(u`g~EJBf#8u#R{mUEZrozmm'); + * define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT'); * * Salting passwords helps against tools which has stored hashed values of * common dictionary strings. The added values makes it harder to crack. @@ -1752,45 +1812,51 @@ function wp_salt( $scheme = 'auth' ) { $duplicated_keys = array( 'put your unique phrase here' => true ); foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) { foreach ( array( 'KEY', 'SALT' ) as $second ) { - if ( ! defined( "{$first}_{$second}" ) ) + if ( ! defined( "{$first}_{$second}" ) ) { continue; + } $value = constant( "{$first}_{$second}" ); $duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] ); } } } - $key = $salt = ''; - if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) - $key = SECRET_KEY; - if ( 'auth' == $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) - $salt = SECRET_SALT; + $values = array( + 'key' => '', + 'salt' => '' + ); + if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) { + $values['key'] = SECRET_KEY; + } + if ( 'auth' == $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) { + $values['salt'] = SECRET_SALT; + } if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ) ) ) { foreach ( array( 'key', 'salt' ) as $type ) { $const = strtoupper( "{$scheme}_{$type}" ); if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) { - $$type = constant( $const ); - } elseif ( ! $$type ) { - $$type = get_site_option( "{$scheme}_{$type}" ); - if ( ! $$type ) { - $$type = wp_generate_password( 64, true, true ); - update_site_option( "{$scheme}_{$type}", $$type ); + $values[ $type ] = constant( $const ); + } elseif ( ! $values[ $type ] ) { + $values[ $type ] = get_site_option( "{$scheme}_{$type}" ); + if ( ! $values[ $type ] ) { + $values[ $type ] = wp_generate_password( 64, true, true ); + update_site_option( "{$scheme}_{$type}", $values[ $type ] ); } } } } else { - if ( ! $key ) { - $key = get_site_option( 'secret_key' ); - if ( ! $key ) { - $key = wp_generate_password( 64, true, true ); - update_site_option( 'secret_key', $key ); + if ( ! $values['key'] ) { + $values['key'] = get_site_option( 'secret_key' ); + if ( ! $values['key'] ) { + $values['key'] = wp_generate_password( 64, true, true ); + update_site_option( 'secret_key', $values['key'] ); } } - $salt = hash_hmac( 'md5', $scheme, $key ); + $values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] ); } - $cached_salts[ $scheme ] = $key . $salt; + $cached_salts[ $scheme ] = $values['key'] . $values['salt']; /** This filter is documented in wp-includes/pluggable.php */ return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme ); @@ -1802,7 +1868,6 @@ if ( !function_exists('wp_hash') ) : * Get hash of given string. * * @since 2.0.3 - * @uses wp_salt() Get WordPress salt * * @param string $data Plain text to hash * @return string Hash of $data @@ -1833,7 +1898,7 @@ function wp_hash_password($password) { global $wp_hasher; if ( empty($wp_hasher) ) { - require_once( ABSPATH . 'wp-includes/class-phpass.php'); + require_once( ABSPATH . WPINC . '/class-phpass.php'); // By default, use the portable hash from phpass $wp_hasher = new PasswordHash(8, true); } @@ -1869,7 +1934,7 @@ function wp_check_password($password, $hash, $user_id = '') { // If the hash is still md5... if ( strlen($hash) <= 32 ) { - $check = ( $hash == md5($password) ); + $check = hash_equals( $hash, md5( $password ) ); if ( $check && $user_id ) { // Rehash using new hash. wp_set_password($password, $user_id); @@ -1881,9 +1946,10 @@ function wp_check_password($password, $hash, $user_id = '') { * * @since 2.5.0 * - * @param bool $check Whether the passwords match. - * @param string $hash The hashed password. - * @param int $user_id User ID. + * @param bool $check Whether the passwords match. + * @param string $password The plaintext password. + * @param string $hash The hashed password. + * @param int $user_id User ID. */ return apply_filters( 'check_password', $check, $password, $hash, $user_id ); } @@ -1891,7 +1957,7 @@ function wp_check_password($password, $hash, $user_id = '') { // If the stored hash is longer than an MD5, presume the // new style phpass portable hash. if ( empty($wp_hasher) ) { - require_once( ABSPATH . 'wp-includes/class-phpass.php'); + require_once( ABSPATH . WPINC . '/class-phpass.php'); // By default, use the portable hash from phpass $wp_hasher = new PasswordHash(8, true); } @@ -1909,12 +1975,13 @@ if ( !function_exists('wp_generate_password') ) : * * @since 2.5.0 * - * @param int $length The length of password to generate - * @param bool $special_chars Whether to include standard special characters. Default true. - * @param bool $extra_special_chars Whether to include other special characters. Used when - * generating secret keys and salts. Default false. - * @return string The random password - **/ + * @param int $length Optional. The length of password to generate. Default 12. + * @param bool $special_chars Optional. Whether to include standard special characters. + * Default true. + * @param bool $extra_special_chars Optional. Whether to include other special characters. + * Used when generating secret keys and salts. Default false. + * @return string The random password. + */ function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) { $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; if ( $special_chars ) @@ -1992,10 +2059,13 @@ if ( !function_exists('wp_set_password') ) : * For integration with other applications, this function can be overwritten to * instead use the other package password checking algorithm. * + * Please note: This function should be used sparingly and is really only meant for single-time + * application. Leveraging this improperly in a plugin or theme could result in an endless loop + * of password resets if precautions are not taken to ensure it does not execute on every page load. + * * @since 2.5.0 * - * @uses $wpdb WordPress database object for queries - * @uses wp_hash_password() Used to encrypt the user's password before passing to the database + * @global wpdb $wpdb WordPress database abstraction object. * * @param string $password The plaintext new user password * @param int $user_id User ID @@ -2020,7 +2090,7 @@ if ( !function_exists( 'get_avatar' ) ) : * @param int $size Size of the avatar image * @param string $default URL to a default image to use if no avatar is available * @param string $alt Alternative text to use in image tag. Defaults to blank - * @return string tag for the user's avatar + * @return false|string `` tag for the user's avatar. */ function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) { if ( ! get_option('show_avatars') ) @@ -2207,35 +2277,3 @@ function wp_text_diff( $left_string, $right_string, $args = null ) { } endif; -if ( ! function_exists( 'hash_equals' ) ) : -/** - * Compare two strings in constant time. - * - * This function is NOT pluggable. It is in this file (in addition to - * compat.php) to prevent errors if, during an update, pluggable.php - * copies over but compat.php does not. - * - * This function was added in PHP 5.6. - * It can leak the length of a string. - * - * @since 3.9.2 - * - * @param string $a Expected string. - * @param string $b Actual string. - * @return bool Whether strings are equal. - */ -function hash_equals( $a, $b ) { - $a_length = strlen( $a ); - if ( $a_length !== strlen( $b ) ) { - return false; - } - $result = 0; - - // Do not attempt to "optimize" this. - for ( $i = 0; $i < $a_length; $i++ ) { - $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] ); - } - - return $result === 0; -} -endif;