Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 9 years ago

#28783 closed enhancement (fixed)

Notice on "get_instance_hash_key()"

Reported by: juliobox's profile juliobox Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 4.0 Priority: normal
Severity: normal Version: 3.9
Component: Widgets Keywords: has-patch commit
Focuses: Cc:

Description

Hello

In get_instance_hash_key() in https://core.trac.wordpress.org/browser/tags/3.9/src/wp-includes/class-wp-customize-widgets.php#L1140 tries to read a constant, hardcoded.

$hash = md5( AUTH_KEY . serialize( $instance ) );

I propose to do it in a good way, as usual in fact:

$hash = md5( wp_salt( 'auth' ) . serialize( $instance ) );

Thank you

Attachments (2)

28783.patch (485 bytes) - added by juliobox 10 years ago.
Modified get_instance_hash_key()
28783-2.patch (474 bytes) - added by juliobox 10 years ago.

Download all attachments as: .zip

Change History (7)

@juliobox
10 years ago

Modified get_instance_hash_key()

#1 @westonruter
10 years ago

  • Keywords has-patch added

Good catch. For that matter, should we not just go ahead and use wp_hash as well?

- $hash = md5( AUTH_KEY . serialize( $instance ) ); 
+ $hash = wp_hash( serialize( $instance ) );

#2 @SergeyBiryukov
10 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 4.0

#3 @juliobox
10 years ago

@westonruter you're right this is better, new patch added.

@juliobox
10 years ago

This ticket was mentioned in IRC in #wordpress-dev by helen. View the logs.


10 years ago

#5 @SergeyBiryukov
10 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 29028:

Use wp_hash() instead of AUTH_KEY in WP_Customize_Widgets::get_instance_hash_key().

props juliobox.
fixes #28783.

Note: See TracTickets for help on using tickets.