wp_hash() and server secret.

git-svn-id: http://svn.automattic.com/wordpress/trunk@3810 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2006-05-31 00:24:03 +00:00 · 2006-05-31 00:24:03 +00:00 · a50330dd45
parent 20b5e18fea
commit a50330dd45
4 changed files with 36 additions and 6 deletions
--- a/wp-admin/upgrade-schema.php
+++ b/wp-admin/upgrade-schema.php
@ -224,6 +224,10 @@ function populate_options() {
 		add_option('uploads_use_yearmonth_folders', 1);
 		add_option('upload_path', 'wp-content/uploads');
 	}
+	
+	// 2.0.3
+	add_option('secret', md5(uniqid(microtime())));
+
 	// 2.1
 	add_option('blog_public', 1);
 	add_option('default_link_category', 2);
--- a/wp-includes/cache.php
+++ b/wp-includes/cache.php
@ -142,7 +142,7 @@ class WP_Object_Cache {
 			return false;
 		}

-		$cache_file = $this->cache_dir.$this->get_group_dir($group)."/".md5($id.DB_PASSWORD).'.php';
+		$cache_file = $this->cache_dir.$this->get_group_dir($group)."/".$this->hash($id).'.php';
 		if (!file_exists($cache_file)) {
 			$this->non_existant_objects[$group][$id] = true;
 			$this->cache_misses += 1;
@ -173,6 +173,18 @@ class WP_Object_Cache {
 		return "{$this->blog_id}/$group";
 	}

+	function hash($data) {
+		global $wp_server_secret;
+		if ( empty($wp_server_secret) )
+			$wp_server_secret = DB_PASSWORD;
+
+		if ( function_exists('hash_hmac') ) {
+			return hash_hmac('md5', $data, $wp_server_secret);
+		} else {
+			return md5($data . $wp_server_secret);
+		}
+	}
+
 	function load_group_from_db($group) {
 		global $wpdb;

@ -322,7 +334,7 @@ class WP_Object_Cache {

 			$ids = array_unique($ids);
 			foreach ($ids as $id) {
-				$cache_file = $group_dir.md5($id.DB_PASSWORD).'.php';
+				$cache_file = $group_dir.$this->hash($id).'.php';

 				// Remove the cache file if the key is not set.
 				if (!isset ($this->cache[$group][$id])) {
@ -414,7 +426,7 @@ class WP_Object_Cache {
 		if (defined('CACHE_EXPIRATION_TIME'))
 			$this->expiration_time = CACHE_EXPIRATION_TIME;

-		$this->blog_id = md5($blog_id);
+		$this->blog_id = $this->hash($blog_id);
 	}
 }
 ?>
--- a/wp-includes/pluggable-functions.php
+++ b/wp-includes/pluggable-functions.php
@ -491,7 +491,7 @@ function wp_verify_nonce($nonce, $action = -1) {
 	$i = ceil(time() / 43200);

 	//Allow for expanding range, but only do one check if we can
-	if( substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10) == $nonce || substr(md5(($i - 1) . DB_PASSWORD . $action . $uid), -12, 10) == $nonce )
+	if( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce )
 		return true;
 	return false;
 }
@ -504,7 +504,21 @@ function wp_create_nonce($action = -1) {

 	$i = ceil(time() / 43200);
 	
-	return substr(md5($i . DB_PASSWORD . $action . $uid), -12, 10);
+	return substr(wp_hash($i . $action . $uid), -12, 10);
+}
+endif;
+
+if ( !function_exists('wp_hash') ) :
+function wp_hash($data) {
+	$secret = get_option('secret');
+	if ( empty($secret) )
+		$secret = DB_PASSWORD;
+
+	if ( function_exists('hash_hmac') ) {
+		return hash_hmac('md5', $data, $secret);
+	} else {
+		return md5($data . $secret);
+	}
 }
 endif;

--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -3,6 +3,6 @@
 // This just holds the version number, in a separate file so we can bump it without cluttering the SVN

 $wp_version = '2.1-alpha1';
-$wp_db_version = 3797;
+$wp_db_version = 3809;

 ?>