WordPress.org

Make WordPress Core

Changeset 29408


Ignore:
Timestamp:
08/06/2014 05:52:49 PM (5 years ago)
Author:
nacin
Message:

Use delimiters when building nonce hashes. Part two of [29384].

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9/src/wp-includes/pluggable.php

    r29398 r29408  
    16591659
    16601660    // Nonce generated 0-12 hours ago
    1661     $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
     1661    $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
    16621662    if ( hash_equals( $expected, $nonce ) ) {
    16631663        return 1;
     
    16651665
    16661666    // Nonce generated 12-24 hours ago
    1667     $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
     1667    $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
    16681668    if ( hash_equals( $expected, $nonce ) ) {
    16691669        return 2;
     
    16941694    $i = wp_nonce_tick();
    16951695
    1696     return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
     1696    return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
    16971697}
    16981698endif;
Note: See TracChangeset for help on using the changeset viewer.