Changes from trunk/src/wp-includes/pluggable.php at r28053 to branches/3.9/src/wp-includes/pluggable.php at r29408

File:

• branches/3.9/src/wp-includes/pluggable.php (modified) (5 diffs)

branches/3.9/src/wp-includes/pluggable.php

@@ -648 +648 @@
     $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
 
-    if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
+    if ( ! hash_equals( $hash, $hmac ) ) {
         /**
          * Fires if a bad authentication cookie hash is encountered.
@@ -1659 +1659 @@
 
     // Nonce generated 0-12 hours ago
-    if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
+    $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
+    if ( hash_equals( $expected, $nonce ) ) {
         return 1;
+    }
+
     // Nonce generated 12-24 hours ago
-    if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
+    $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
+    if ( hash_equals( $expected, $nonce ) ) {
         return 2;
+    }
+
     // Invalid nonce
     return false;
@@ -1688 +1694 @@
     $i = wp_nonce_tick();
 
-    return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
+    return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
 }
 endif;
@@ -2108 +2114 @@
         $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
     } else {
-        $avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
+        $out = esc_url( $default );
+        $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
     }
 
@@ -2201 +2208 @@
 endif;
 
+if ( ! function_exists( 'hash_equals' ) ) :
+/**
+ * Compare two strings in constant time.
+ *
+ * This function is NOT pluggable. It is in this file (in addition to
+ * compat.php) to prevent errors if, during an update, pluggable.php
+ * copies over but compat.php does not.
+ *
+ * This function was added in PHP 5.6.
+ * It can leak the length of a string.
+ *
+ * @since 3.9.2
+ *
+ * @param string $a Expected string.
+ * @param string $b Actual string.
+ * @return bool Whether strings are equal.
+ */
+function hash_equals( $a, $b ) {
+    $a_length = strlen( $a );
+    if ( $a_length !== strlen( $b ) ) {
+        return false;
+    }
+    $result = 0;
+
+    // Do not attempt to "optimize" this.
+    for ( $i = 0; $i < $a_length; $i++ ) {
+        $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
+    }
+
+    return $result === 0;
+}
+endif;