Ticket #53236: nonce-age-resolution.patch

src/wp-includes/pluggable.php

@@ -1160 +1160 @@
          * @param int|string $action    The nonce action.
          * @param string     $query_arg Optional. Key to check for nonce in `$_REQUEST`. Default '_wpnonce'.
          * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
-         *                   2 if the nonce is valid and generated between 12-24 hours ago.
+         *                   2 if the nonce is valid and generated between 8-24 hours ago.
          *                   False if the nonce is invalid.
          */
         function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
@@ -1179 +1179 @@
                  *
                  * @param string    $action The nonce action.
                  * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
-                 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
+                 *                          0-12 hours ago, 2 if the nonce is valid and generated between 8-24 hours ago.
                  */
                 do_action( 'check_admin_referer', $action, $result );
 
@@ -1205 +1205 @@
          * @param bool         $die       Optional. Whether to die early when the nonce cannot be verified.
          *                                Default true.
          * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
-         *                   2 if the nonce is valid and generated between 12-24 hours ago.
+         *                   2 if the nonce is valid and generated between 8-24 hours ago.
          *                   False if the nonce is invalid.
          */
         function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
@@ -1232 +1232 @@
                  *
                  * @param string    $action The Ajax nonce action.
                  * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
-                 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
+                 *                          0-12 hours ago, 2 if the nonce is valid and generated between 8-24 hours ago.
                  */
                 do_action( 'check_ajax_referer', $action, $result );
 
@@ -2129 +2129 @@
         /**
          * Returns the time-dependent variable for nonce creation.
          *
-         * A nonce has a lifespan of two ticks. Nonces in their second tick may be
-         * updated, e.g. by autosave.
+         * A nonce has a lifespan of six ticks. Nonces in their fourth tick onwards
+         * may be updated, e.g. by autosave.
          *
          * @since 2.5.0
          *
@@ -2146 +2146 @@
                  */
                 $nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );
 
-                return ceil( time() / ( $nonce_life / 2 ) );
+                return ceil( time() / ( $nonce_life / 6 ) );
         }
 endif;
 
@@ -2154 +2154 @@
         /**
          * Verifies that a correct security nonce was used with time limit.
          *
-         * A nonce is valid for 24 hours (by default).
+         * A nonce is valid for at most 24 hours (by default).
          *
          * @since 2.0.3
          *
          * @param string     $nonce  Nonce value that was used for verification, usually via a form field.
          * @param string|int $action Should give context to what is taking place and be the same when nonce was created.
          * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
-         *                   2 if the nonce is valid and generated between 12-24 hours ago.
+         *                   2 if the nonce is valid and generated between 8-24 hours ago.
          *                   False if the nonce is invalid.
          */
         function wp_verify_nonce( $nonce, $action = -1 ) {
@@ -2185 +2185 @@
                 }
 
                 $token = wp_get_session_token();
-                $i     = wp_nonce_tick();
+                $tick  = wp_nonce_tick();
+                $i     = 0;
 
-                // Nonce generated 0-12 hours ago.
-                $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
-                if ( hash_equals( $expected, $nonce ) ) {
-                        return 1;
-                }
+                while ( $i < 6 ) {
+                        $expected = substr( wp_hash( "$tick|$action|$uid|$token", 'nonce' ), -12, 10 );
+                        if ( hash_equals( $expected, $nonce ) ) {
+                                // Nonce generated 0-12 hours ago.
+                                if ( $i < 3 ) {
+                                        return 1;
+                                }
 
-                // Nonce generated 12-24 hours ago.
-                $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
-                if ( hash_equals( $expected, $nonce ) ) {
-                        return 2;
+                                // Nonce generated 8-24 hours ago.
+                                return 2;
+                        }
+                        $tick--;
+                        $i++;
                 }
 
                 /**
@@ -2236 +2240 @@
                 }
 
                 $token = wp_get_session_token();
-                $i     = wp_nonce_tick();
+                $tick  = wp_nonce_tick();
 
-                return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
+                return substr( wp_hash( "$tick|$action|$uid|$token", 'nonce' ), -12, 10 );
         }
 endif;