From a50330dd4507ba248164d1af3beb1f466e54f787 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 31 May 2006 00:24:03 +0000 Subject: [PATCH] wp_hash() and server secret. git-svn-id: http://svn.automattic.com/wordpress/trunk@3810 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/upgrade-schema.php | 4 ++++ wp-includes/cache.php | 18 +++++++++++++++--- wp-includes/pluggable-functions.php | 18 ++++++++++++++++-- wp-includes/version.php | 2 +- 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/wp-admin/upgrade-schema.php b/wp-admin/upgrade-schema.php index 1328f48a2e..d616fb651a 100644 --- a/wp-admin/upgrade-schema.php +++ b/wp-admin/upgrade-schema.php @@ -224,6 +224,10 @@ function populate_options() { add_option('uploads_use_yearmonth_folders', 1); add_option('upload_path', 'wp-content/uploads'); } + + // 2.0.3 + add_option('secret', md5(uniqid(microtime()))); + // 2.1 add_option('blog_public', 1); add_option('default_link_category', 2); diff --git a/wp-includes/cache.php b/wp-includes/cache.php index 2a25af82c1..197988b932 100644 --- a/wp-includes/cache.php +++ b/wp-includes/cache.php @@ -142,7 +142,7 @@ class WP_Object_Cache { return false; } - $cache_file = $this->cache_dir.$this->get_group_dir($group)."/".md5($id.DB_PASSWORD).'.php'; + $cache_file = $this->cache_dir.$this->get_group_dir($group)."/".$this->hash($id).'.php'; if (!file_exists($cache_file)) { $this->non_existant_objects[$group][$id] = true; $this->cache_misses += 1; @@ -173,6 +173,18 @@ class WP_Object_Cache { return "{$this->blog_id}/$group"; } + function hash($data) { + global $wp_server_secret; + if ( empty($wp_server_secret) ) + $wp_server_secret = DB_PASSWORD; + + if ( function_exists('hash_hmac') ) { + return hash_hmac('md5', $data, $wp_server_secret); + } else { + return md5($data . $wp_server_secret); + } + } + function load_group_from_db($group) { global $wpdb; @@ -322,7 +334,7 @@ class WP_Object_Cache { $ids = array_unique($ids); foreach ($ids as $id) { - $cache_file = $group_dir.md5($id.DB_PASSWORD).'.php'; + $cache_file = $group_dir.$this->hash($id).'.php'; // Remove the cache file if the key is not set. if (!isset ($this->cache[$group][$id])) { @@ -414,7 +426,7 @@ class WP_Object_Cache { if (defined('CACHE_EXPIRATION_TIME')) $this->expiration_time = CACHE_EXPIRATION_TIME; - $this->blog_id = md5($blog_id); + $this->blog_id = $this->hash($blog_id); } } ?> diff --git a/wp-includes/pluggable-functions.php b/wp-includes/pluggable-functions.php index 5ff3dac6b9..43e0a8a1a0 100644 --- a/wp-includes/pluggable-functions.php +++ b/wp-includes/pluggable-functions.php @@ -491,7 +491,7 @@ function wp_verify_nonce($nonce, $action = -1) { $i = ceil(time() / 43200); //Allow for expanding range, but only do one check if we can - if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce ) + if( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce ) return true; return false; } @@ -504,7 +504,21 @@ function wp_create_nonce($action = -1) { $i = ceil(time() / 43200); - return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10); + return substr(wp_hash($i . $action . $uid), -12, 10); +} +endif; + +if ( !function_exists('wp_hash') ) : +function wp_hash($data) { + $secret = get_option('secret'); + if ( empty($secret) ) + $secret = DB_PASSWORD; + + if ( function_exists('hash_hmac') ) { + return hash_hmac('md5', $data, $secret); + } else { + return md5($data . $secret); + } } endif; diff --git a/wp-includes/version.php b/wp-includes/version.php index 7d87dbfd19..ad3761a0ec 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -3,6 +3,6 @@ // This just holds the version number, in a separate file so we can bump it without cluttering the SVN $wp_version = '2.1-alpha1'; -$wp_db_version = 3797; +$wp_db_version = 3809; ?>