WordPress.org

Make WordPress Core

Changeset 38032


Ignore:
Timestamp:
07/10/2016 07:42:02 PM (4 years ago)
Author:
ocean90
Message:

Multisite: Use hash_equals() when comparing hashes to mitigate timing attacks.

Fixes #37324.

Location:
trunk/src/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/ms-delete-site.php

    r37914 r38032  
    1717
    1818if ( isset( $_GET['h'] ) && $_GET['h'] != '' && get_option( 'delete_blog_hash' ) != false ) {
    19     if ( get_option( 'delete_blog_hash' ) == $_GET['h'] ) {
     19    if ( hash_equals( get_option( 'delete_blog_hash' ), $_GET['h'] ) ) {
    2020        wpmu_delete_blog( $wpdb->blogid );
    2121        wp_die( sprintf( __( 'Thank you for using %s, your site has been deleted. Happy trails to you until we meet again.' ), $current_site->site_name ) );
  • trunk/src/wp-admin/options.php

    r38006 r38032  
    5858        $new_admin_details = get_option( 'adminhash' );
    5959        $redirect = 'options-general.php?updated=false';
    60         if ( is_array( $new_admin_details ) && $new_admin_details[ 'hash' ] == $_GET[ 'adminhash' ] && !empty($new_admin_details[ 'newemail' ]) ) {
     60        if ( is_array( $new_admin_details ) && hash_equals( $new_admin_details[ 'hash' ], $_GET[ 'adminhash' ] ) && !empty($new_admin_details[ 'newemail' ]) ) {
    6161            update_option( 'admin_email', $new_admin_details[ 'newemail' ] );
    6262            delete_option( 'adminhash' );
Note: See TracChangeset for help on using the changeset viewer.