WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add strict check to wp_verify_nonce() to avoid issues when it is improperly called. 

git-svn-id: http://core.svn.wordpress.org/trunk@24461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin 2013-06-21 02:11:31 +00:00
parent 9f10b33324
commit e27d41d8e7
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
wp-includes/pluggable.php
View File

@ -1259,10 +1259,10 @@ function wp_verify_nonce($nonce, $action = -1) {
$i = wp_nonce_tick();
// Nonce generated 0-12 hours ago
if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce )
if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
return 1;
// Nonce generated 12-24 hours ago
if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) == $nonce )
if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
return 2;
// Invalid nonce
return false;