Add strict check to wp_verify_nonce() to avoid issues when it is improperly called.
git-svn-id: https://develop.svn.wordpress.org/trunk@24461 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
3c5073e119
commit
626e77ec3b
|
@ -1259,10 +1259,10 @@ function wp_verify_nonce($nonce, $action = -1) {
|
|||
$i = wp_nonce_tick();
|
||||
|
||||
// Nonce generated 0-12 hours ago
|
||||
if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce )
|
||||
if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
|
||||
return 1;
|
||||
// Nonce generated 12-24 hours ago
|
||||
if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) == $nonce )
|
||||
if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
|
||||
return 2;
|
||||
// Invalid nonce
|
||||
return false;
|
||||
|
|
Loading…
Reference in New Issue