tec3/five-for-the-future
tec3/five-for-the-future
1
0
Fork 0
mirror of https://github.com/WordPress/five-for-the-future.git synced 2025-04-22 11:03:43 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Email: Compare token with hash_equals() to mitigate timing attacks.

Browse source 
Props timothyblynjacobs
See #46
See https://make.wordpress.org/meta/2019/10/25/security-review-of-authentication-tokens/
This commit is contained in:
Ian Dunn 2019-10-25 13:47:59 -07:00
parent 838a490776
commit 35fa99324e
No known key found for this signature in database
GPG key ID: 99B971B50343CBCB
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
plugins/wporg-5ftf/includes/email.php
View file

@ -128,7 +128,11 @@ function is_valid_authentication_token( $pledge_id, $action, $unverified_token )
return false;
}
if ( $valid_token && $valid_token['expiration'] > time() && $unverified_token === $valid_token['value'] ) {
if ( ! is_string( $unverified_token ) || TOKEN_LENGTH !== strlen( $unverified_token ) ) {
return false;
}
if ( $valid_token && $valid_token['expiration'] > time() && hash_equals( $valid_token['value'], $unverified_token ) ) {
$verified = true;
// Tokens should not be reusable, to increase security.