X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/41578db67d72562346e4dbb2a14889b23d522813..245e789b234afa4525862e7a6e5e3c2e7a52ef20:/wp-includes/pluggable.php
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index ef2821fb..dae13a4a 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -647,7 +647,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') {
$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
- if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
+ if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
@@ -1658,11 +1658,17 @@ function wp_verify_nonce($nonce, $action = -1) {
$i = wp_nonce_tick();
// Nonce generated 0-12 hours ago
- if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
+ $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
+ if ( hash_equals( $expected, $nonce ) ) {
return 1;
+ }
+
// Nonce generated 12-24 hours ago
- if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
+ $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
+ if ( hash_equals( $expected, $nonce ) ) {
return 2;
+ }
+
// Invalid nonce
return false;
}
@@ -1687,7 +1693,7 @@ function wp_create_nonce($action = -1) {
$i = wp_nonce_tick();
- return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
+ return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
}
endif;
@@ -2107,7 +2113,8 @@ function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
$out = str_replace( '&', '&', esc_url( $out ) );
$avatar = "";
} else {
- $avatar = "";
+ $out = esc_url( $default );
+ $avatar = "";
}
/**
@@ -2200,3 +2207,35 @@ function wp_text_diff( $left_string, $right_string, $args = null ) {
}
endif;
+if ( ! function_exists( 'hash_equals' ) ) :
+/**
+ * Compare two strings in constant time.
+ *
+ * This function is NOT pluggable. It is in this file (in addition to
+ * compat.php) to prevent errors if, during an update, pluggable.php
+ * copies over but compat.php does not.
+ *
+ * This function was added in PHP 5.6.
+ * It can leak the length of a string.
+ *
+ * @since 3.9.2
+ *
+ * @param string $a Expected string.
+ * @param string $b Actual string.
+ * @return bool Whether strings are equal.
+ */
+function hash_equals( $a, $b ) {
+ $a_length = strlen( $a );
+ if ( $a_length !== strlen( $b ) ) {
+ return false;
+ }
+ $result = 0;
+
+ // Do not attempt to "optimize" this.
+ for ( $i = 0; $i < $a_length; $i++ ) {
+ $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
+ }
+
+ return $result === 0;
+}
+endif;