Make WordPress Core


Ignore:
Timestamp:
08/06/2014 05:41:12 AM (10 years ago)
Author:
nacin
Message:

Constant time for wp_verify_nonce().

Merges [29382] to the 3.9 branch.

Adds a second copy of hash_equals() to pluggable.php in case compat.php is not copied over in an update. (The general goal is no cross-file dependencies for minor releases.)

Location:
branches/3.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9

  • branches/3.9/src/wp-includes/compat.php

    r18404 r29384  
    9595    }
    9696}
     97
     98if ( ! function_exists( 'hash_equals' ) ) :
     99/**
     100 * Compare two strings in constant time.
     101 *
     102 * This function was added in PHP 5.6.
     103 * It can leak the length of a string.
     104 *
     105 * @since 3.9.2
     106 *
     107 * @param string $a Expected string.
     108 * @param string $b Actual string.
     109 * @return bool Whether strings are equal.
     110 */
     111function hash_equals( $a, $b ) {
     112    $a_length = strlen( $a );
     113    if ( $a_length !== strlen( $b ) ) {
     114        return false;
     115    }
     116    $result = 0;
     117
     118    // Do not attempt to "optimize" this.
     119    for ( $i = 0; $i < $a_length; $i++ ) {
     120        $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
     121    }
     122
     123    return $result === 0;
     124}
     125endif;
Note: See TracChangeset for help on using the changeset viewer.