WordPress.org
Get WordPress

Make WordPress Core


Ignore:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/pluggable.php

    r29408 r28053  
    648648    $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
    649649
    650     if ( ! hash_equals( $hash, $hmac ) ) {
     650    if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
    651651        /**
    652652         * Fires if a bad authentication cookie hash is encountered.
     
    16591659
    16601660    // Nonce generated 0-12 hours ago
    1661     $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
    1662     if ( hash_equals( $expected, $nonce ) ) {
     1661    if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
    16631662        return 1;
    1664     }
    1665 
    16661663    // Nonce generated 12-24 hours ago
    1667     $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
    1668     if ( hash_equals( $expected, $nonce ) ) {
     1664    if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
    16691665        return 2;
    1670     }
    1671 
    16721666    // Invalid nonce
    16731667    return false;
     
    16941688    $i = wp_nonce_tick();
    16951689
    1696     return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
     1690    return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
    16971691}
    16981692endif;
     
    21142108        $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
    21152109    } else {
    2116         $out = esc_url( $default );
    2117         $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
     2110        $avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
    21182111    }
    21192112
     
    22082201endif;
    22092202
    2210 if ( ! function_exists( 'hash_equals' ) ) :
    2211 /**
    2212  * Compare two strings in constant time.
    2213  *
    2214  * This function is NOT pluggable. It is in this file (in addition to
    2215  * compat.php) to prevent errors if, during an update, pluggable.php
    2216  * copies over but compat.php does not.
    2217  *
    2218  * This function was added in PHP 5.6.
    2219  * It can leak the length of a string.
    2220  *
    2221  * @since 3.9.2
    2222  *
    2223  * @param string $a Expected string.
    2224  * @param string $b Actual string.
    2225  * @return bool Whether strings are equal.
    2226  */
    2227 function hash_equals( $a, $b ) {
    2228     $a_length = strlen( $a );
    2229     if ( $a_length !== strlen( $b ) ) {
    2230         return false;
    2231     }
    2232     $result = 0;
    2233 
    2234     // Do not attempt to "optimize" this.
    2235     for ( $i = 0; $i < $a_length; $i++ ) {
    2236         $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
    2237     }
    2238 
    2239     return $result === 0;
    2240 }
    2241 endif;
Note: See TracChangeset for help on using the changeset viewer.