Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#37324 closed defect (bug) (fixed)

Use hash_equals() when comparing hashes

Reported by: ocean90's profile ocean90 Owned by: ocean90's profile ocean90
Milestone: 4.6 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: multisite Cc:


For hardening purposes we should use hash_equals() whenever we compare a (password) hash against user input.hash_equals() does a timing attack safe string comparison.

Attachments (1)

37324.patch (1.5 KB) - added by ocean90 8 years ago.

Download all attachments as: .zip

Change History (2)

8 years ago

#1 @ocean90
8 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 38032:

Multisite: Use hash_equals() when comparing hashes to mitigate timing attacks.

Fixes #37324.

Note: See TracTickets for help on using tickets.