WordPress.org

Make WordPress Core

Changeset 43367


Ignore:
Timestamp:
06/16/2018 02:09:58 PM (3 years ago)
Author:
johnbillion
Message:

Security: Harden the random aspect of the hash used for user profile and admin email address changes.

Props BjornW

Fixes #43771

Location:
trunk/src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/misc.php

    r43363 r43367  
    12061206    }
    12071207
    1208     $hash            = md5( $value . time() . mt_rand() );
     1208    $hash            = md5( $value . time() . wp_rand() );
    12091209    $new_admin_email = array(
    12101210        'hash'     => $hash,
  • trunk/src/wp-includes/user.php

    r43353 r43367  
    27272727        }
    27282728
    2729         $hash           = md5( $_POST['email'] . time() . mt_rand() );
     2729        $hash           = md5( $_POST['email'] . time() . wp_rand() );
    27302730        $new_user_email = array(
    27312731            'hash'     => $hash,
Note: See TracChangeset for help on using the changeset viewer.