Changeset 59904 for trunk/src/wp-includes/functions.php

Timestamp:

03/03/2025 09:49:36 AM (5 months ago)

Author:

johnbillion

Message:

Security: Reduce the length of the hash returned by wp_fast_hash() so it can be used in the user_activation_key field when a legacy database schema is still in use.

This reduces the hash length from 32 bytes to 30 so the overall length of an activation key after encoding, prefixing, and prepending a timestamp fits into 60 bytes.

A key is also introduced for domain separation. This doesn't affect the output length.

Props dd32, paragoninitiativeenterprises, peterwilsoncc, johnbillion

Fixes #21022

File:

• trunk/src/wp-includes/functions.php (modified) (1 diff)

trunk/src/wp-includes/functions.php

@@ -9143 +9143 @@
     string $message
 ): string {
-    return '$generic$' . sodium_bin2hex( sodium_crypto_generichash( $message ) );
+    $hashed = sodium_crypto_generichash( $message, 'wp_fast_hash_6.8+', 30 );
+    return '$generic$' . sodium_bin2base64( $hashed, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING );
 }