WordPress.org

Make WordPress Core

Ticket #37324: 37324.patch

File 37324.patch, 1.5 KB (added by ocean90, 5 years ago)
  • src/wp-admin/ms-delete-site.php

     
    1616        wp_die(__( 'Sorry, you are not allowed to delete this site.'));
    1717
    1818if ( isset( $_GET['h'] ) && $_GET['h'] != '' && get_option( 'delete_blog_hash' ) != false ) {
    19         if ( get_option( 'delete_blog_hash' ) == $_GET['h'] ) {
     19        if ( hash_equals( get_option( 'delete_blog_hash' ), $_GET['h'] ) ) {
    2020                wpmu_delete_blog( $wpdb->blogid );
    2121                wp_die( sprintf( __( 'Thank you for using %s, your site has been deleted. Happy trails to you until we meet again.' ), $current_site->site_name ) );
    2222        } else {
  • src/wp-admin/options.php

     
    5757        if ( ! empty($_GET[ 'adminhash' ] ) ) {
    5858                $new_admin_details = get_option( 'adminhash' );
    5959                $redirect = 'options-general.php?updated=false';
    60                 if ( is_array( $new_admin_details ) && $new_admin_details[ 'hash' ] == $_GET[ 'adminhash' ] && !empty($new_admin_details[ 'newemail' ]) ) {
     60                if ( is_array( $new_admin_details ) && hash_equals( $new_admin_details[ 'hash' ], $_GET[ 'adminhash' ] ) && !empty($new_admin_details[ 'newemail' ]) ) {
    6161                        update_option( 'admin_email', $new_admin_details[ 'newemail' ] );
    6262                        delete_option( 'adminhash' );
    6363                        delete_option( 'new_admin_email' );