Changeset 38032 for trunk/src/wp-admin/options.php

Timestamp:

07/10/2016 07:42:02 PM (9 years ago)

Author:

ocean90

Message:

Multisite: Use hash_equals() when comparing hashes to mitigate timing attacks.

Fixes #37324.

File:

• trunk/src/wp-admin/options.php (modified) (1 diff)

trunk/src/wp-admin/options.php

@@ -58 +58 @@
         $new_admin_details = get_option( 'adminhash' );
         $redirect = 'options-general.php?updated=false';
-        if ( is_array( $new_admin_details ) && $new_admin_details[ 'hash' ] == $_GET[ 'adminhash' ] && !empty($new_admin_details[ 'newemail' ]) ) {
+        if ( is_array( $new_admin_details ) && hash_equals( $new_admin_details[ 'hash' ], $_GET[ 'adminhash' ] ) && !empty($new_admin_details[ 'newemail' ]) ) {
             update_option( 'admin_email', $new_admin_details[ 'newemail' ] );
             delete_option( 'adminhash' );