WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#33635 closed defect (bug) (invalid)

$nonce_life is actually twice nonce life

Reported by: ericlewis Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5
Component: Security Keywords:
Focuses: docs Cc:

Description

wp_nonce_tick() creates a deterministic string that changes when a nonce expires.

The value $nonce_life is made available for filtering. The default says a nonce lasts a day. This is incorrect because of the division by two used in the return expression.

Here's some scratch math because yes I had to type this out

time()		nonce_life			return
0		86400				0		(Jan 1, 1970, 00:00:00)
1		86400				1		(Jan 1, 1970, 00:00:01)
43200		86400				1		(Jan 1, 1970, 12:00:00)
43201		86400				2		(Jan 1, 1970, 12:00:01)
86400		86400				2		(Jan 2, 1970, 00:00:00)
86401		86400				3		(Jan 2, 1970, 00:00:01)

Change History (3)

#1 @ericlewis
6 years ago

  • Component changed from General to Security
  • Focuses docs added
  • Keywords needs-patch needs-docs added
  • Milestone changed from Awaiting Review to Future Release
  • Version set to 2.5

We should modify the documentation block for the nonce_life filter to describe this, and perhaps move the divide-by-two operation up to the $nonce_life instantiation (without modifying the value sent through the filter).

Last edited 6 years ago by ericlewis (previous) (diff)

#2 @ericlewis
6 years ago

  • Milestone Future Release deleted
  • Resolution set to invalid
  • Status changed from new to closed

Nevermind — just saw wp_verify_nonce() back-validates nonces from 12-24 hours ago.

Although the math presented earlier does expose that corner cases here can occur with nonces, because of the time-window that wp_nonce_tick() creates.

e.g.

It's 8/31/2015 20:12:02 UTC (1441051922 in Unix epoch), wp_nonce_tick() returns 33358.

When it turns 9/1/2015 00:00:01 UTC (1441065601 in Unix epoch), wp_nonce_tick() returns 33359. The nonce I made earlier is still valid.

When it turns 9/1/2015 12:00:01 UTC (1441108801 in Unix epoch), wp_nonce_tick() returns 33340. The nonce I made earlier is invalid, even though it is only 14 hours old.

#3 @ericlewis
6 years ago

  • Keywords needs-patch needs-docs removed
Note: See TracTickets for help on using tickets.