From 3234ade164d6ea75f0c5e09ea2efd57c01344f8d Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Tue, 8 Apr 2014 18:05:42 +0000
Subject: [PATCH] Harden HMAC verification. props duck_.

git-svn-id: https://develop.svn.wordpress.org/trunk@28053 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/pluggable.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index 65750be262..ef2821fb2a 100644
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@@ -647,7 +647,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') {
 	$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
 	$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
 
-	if ( $hmac != $hash ) {
+	if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
 		/**
 		 * Fires if a bad authentication cookie hash is encountered.
 		 *