-
Notifications
You must be signed in to change notification settings - Fork 12.4k
Commit
Built from https://develop.svn.wordpress.org/branches/3.8@28054 git-svn-id: http://core.svn.wordpress.org/branches/3.8@27884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -543,7 +543,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') { | |
$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); | ||
$hash = hash_hmac('md5', $username . '|' . $expiration, $key); | ||
|
||
if ( $hmac != $hash ) { | ||
if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) { | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
kivikakk
|
||
do_action('auth_cookie_bad_hash', $cookie_elements); | ||
return false; | ||
} | ||
|
1 comment
on commit 78a915e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is ostensibly a guard against a timing attack, why not just use a constant-time comparison to fix it properly?
function secure_compare($a, $b) {
$len_a = strlen($a);
$len_b = strlen($b);
if($len_a == $len_b) {
$result = 0;
for($i = 0; $i < $len_a; $i++) {
$result = $result | (ord($a[$i]) ^ ord($b[$i]));
}
return $result === 0;
} else {
return false;
}
}
(Shamelessly adapted from the Rails patch which protected against the same issue)
This is really suspect and confusing.
$hmac
appears to not be defined anywhere in this scope. I assume it is a global set somewhere? Do you handle$hmac
not being defined? Is that what you are 'hardening' against?$hash
is the result ofhash_hmac('md5', ...)
on the username and expiration, so it is unnecessary to hash it again unless your goal is to somehow 'harden' this test by applying a second level of hashing. It is unclear whether this accomplishes anything since you are doing the second layer for both values at the point of comparison (I can't imagine this does anything). Is the use ofhash_hmac
on both sides here an attempt to prevent side-channel timing attacks? If so, it is faulty, since you're still doing a string comparison on the end result. If you want to prevent side-channel timing attacks, use a constant-time string comparison, and don't usehash_hmac
a second time.$hash
is already an md5 going in to the hash call, I'll assume$hmac
is too so the risk is nil.