WordPress.org

Make WordPress Core

Changeset 43368


Ignore:
Timestamp:
06/16/2018 02:12:55 PM (3 years ago)
Author:
johnbillion
Message:

Security: Harden the random aspect of the hash used for user profile and admin email address changes.

Props BjornW

Fixes #43771

Merges [43367] to the 4.9 branch.

Location:
branches/4.9
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-admin/includes/misc.php

    r43364 r43368  
    11591159    }
    11601160
    1161     $hash = md5( $value . time() . mt_rand() );
     1161    $hash = md5( $value . time() . wp_rand() );
    11621162    $new_admin_email = array(
    11631163        'hash'     => $hash,
  • branches/4.9/src/wp-includes/user.php

    r43354 r43368  
    26512651        }
    26522652
    2653         $hash           = md5( $_POST['email'] . time() . mt_rand() );
     2653        $hash           = md5( $_POST['email'] . time() . wp_rand() );
    26542654        $new_user_email = array(
    26552655            'hash'     => $hash,
Note: See TracChangeset for help on using the changeset viewer.