From 35fa99324eecf19b0205a8accb42789238f0fa0e Mon Sep 17 00:00:00 2001 From: Ian Dunn Date: Fri, 25 Oct 2019 13:47:59 -0700 Subject: [PATCH] Email: Compare token with `hash_equals()` to mitigate timing attacks. Props timothyblynjacobs See #46 See https://make.wordpress.org/meta/2019/10/25/security-review-of-authentication-tokens/ --- plugins/wporg-5ftf/includes/email.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/plugins/wporg-5ftf/includes/email.php b/plugins/wporg-5ftf/includes/email.php index 522ea88..2672f94 100644 --- a/plugins/wporg-5ftf/includes/email.php +++ b/plugins/wporg-5ftf/includes/email.php @@ -128,7 +128,11 @@ function is_valid_authentication_token( $pledge_id, $action, $unverified_token ) return false; } - if ( $valid_token && $valid_token['expiration'] > time() && $unverified_token === $valid_token['value'] ) { + if ( ! is_string( $unverified_token ) || TOKEN_LENGTH !== strlen( $unverified_token ) ) { + return false; + } + + if ( $valid_token && $valid_token['expiration'] > time() && hash_equals( $valid_token['value'], $unverified_token ) ) { $verified = true; // Tokens should not be reusable, to increase security.