Make WordPress Core


Ignore:
Timestamp:
06/16/2018 02:12:55 PM (7 years ago)
Author:
johnbillion
Message:

Security: Harden the random aspect of the hash used for user profile and admin email address changes.

Props BjornW

Fixes #43771

Merges [43367] to the 4.9 branch.

Location:
branches/4.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-includes/user.php

    r43354 r43368  
    26512651        }
    26522652
    2653         $hash           = md5( $_POST['email'] . time() . mt_rand() );
     2653        $hash           = md5( $_POST['email'] . time() . wp_rand() );
    26542654        $new_user_email = array(
    26552655            'hash'     => $hash,
Note: See TracChangeset for help on using the changeset viewer.