#8212 closed defect (bug) (fixed)
generate/validate_auth_cookie doesn't always check scheme
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 2.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
When using wp_generate_auth_cookie() and wp_validate_auth_cookie() with one of the standard auth schemes (auth, secure_auth, logged_in), the cookie will correctly fail to validate if the wrong scheme is used:
$cookie = wp_generate_auth_cookie(1, time() + 3600, 'auth'); $this->assertEquals( 1, wp_validate_auth_cookie($cookie, 'auth') ); // pass $cookie = wp_generate_auth_cookie(1, time() + 3600, 'auth'); $this->assertEquals( false, wp_validate_auth_cookie($cookie, 'logged_in') ); // pass
However this is not the case when arbitrary auth schemes are used. The cookie will validate even if the scheme is incorrect.
$cookie = wp_generate_auth_cookie(1, time() - 3600, 'foo'); $this->assertEquals( false, wp_validate_auth_cookie($cookie, 'bar') ); // this should fail, but doesn't
The reason the built-in schemes work as expected is that they each use a unique salt. Arbitrary schemes all use the same salt (see wp_salt()).
NB: I don't believe this is a core security issue, but fixing it could prevent future problems.
Attachments (1)
Change History (5)
Note: See
TracTickets for help on using
tickets.
unique-salt-r9678.patch fixes the problem by providing a fallback salt value that's unique to each auth scheme.
Unit tests are in http://svn.automattic.com/wordpress-tests/wp-testcase/test_includes_pluggable.php TestAuthFunctions. There's one failure before the patch, all pass afterwards.
I made a typo in one of the examples above (-3600 instead of +3600) but the unit tests in svn are correct.