tec3/five-for-the-future
tec3/five-for-the-future
1
0
Fork 0
mirror of https://github.com/WordPress/five-for-the-future.git synced 2025-04-22 19:13:44 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Email: Send no-cache headers when auth token present for security.

Browse source
This commit is contained in:
Ian Dunn 2019-11-07 11:53:39 -08:00
parent 18228d367c
commit 7e89d1794a
No known key found for this signature in database
GPG key ID: 99B971B50343CBCB
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
plugins/wporg-5ftf/includes/email.php
View file

@ -37,6 +37,20 @@ const TOKEN_PREFIX = '5ftf_auth_token_';
// Longer than `get_password_reset_key()` just to be safe. See https://core.trac.wordpress.org/ticket/43546#comment:34 // Longer than `get_password_reset_key()` just to be safe. See https://core.trac.wordpress.org/ticket/43546#comment:34
const TOKEN_LENGTH = 32; const TOKEN_LENGTH = 32;
add_action( 'wp_head', __NAMESPACE__ . '\prevent_caching_auth_tokens', 99 );
/**
* Prevent caching mechanisms from caching authentication tokens.
*
* Search engines would often be too slow to index tokens before they expire, but other mechanisms like Varnish,
* etc could create situations where they're leaked to others.
*/
function prevent_caching_auth_tokens() {
if ( isset( $_GET['auth_token'] ) || isset( $_POST['auth_token'] ) ) {
nocache_headers();
}
}
/** /**
* Wrap `wp_mail()` with shared functionality. * Wrap `wp_mail()` with shared functionality.
* *