WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#37324 closed defect (bug) (fixed)

Use hash_equals() when comparing hashes

Reported by: ocean90 Owned by: ocean90
Milestone: 4.6 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: multisite Cc:
PR Number:

Description

For hardening purposes we should use hash_equals() whenever we compare a (password) hash against user input.hash_equals() does a timing attack safe string comparison.

Attachments (1)

37324.patch (1.5 KB) - added by ocean90 4 years ago.

Download all attachments as: .zip

Change History (2)

@ocean90
4 years ago

#1 @ocean90
4 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 38032:

Multisite: Use hash_equals() when comparing hashes to mitigate timing attacks.

Fixes #37324.

Note: See TracTickets for help on using tickets.