From f3dd1ef8569a22eea1530fcf287b13471a7d4143 Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Sun, 7 Dec 2008 21:31:13 +0000 Subject: [PATCH] Introduce NONCE_SALT and NONCE_KEY git-svn-id: https://develop.svn.wordpress.org/trunk@10120 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-config-sample.php | 1 + wp-includes/pluggable.php | 19 ++++++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/wp-config-sample.php b/wp-config-sample.php index bd09fbae93..24adf07d29 100644 --- a/wp-config-sample.php +++ b/wp-config-sample.php @@ -44,6 +44,7 @@ define('DB_COLLATE', ''); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); +define('NONCE_KEY', 'put your unique phrase here'); /**#@-*/ /** diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index bffa214a31..a85d8ab1c9 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -1159,10 +1159,10 @@ function wp_verify_nonce($nonce, $action = -1) { $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago - if ( substr(wp_hash($i . $action . $uid), -12, 10) == $nonce ) + if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) == $nonce ) return 1; // Nonce generated 12-24 hours ago - if ( substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce ) + if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) == $nonce ) return 2; // Invalid nonce return false; @@ -1184,7 +1184,7 @@ function wp_create_nonce($action = -1) { $i = wp_nonce_tick(); - return substr(wp_hash($i . $action . $uid), -12, 10); + return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10); } endif; @@ -1272,6 +1272,19 @@ function wp_salt($scheme = 'auth') { update_option('logged_in_salt', $salt); } } + } elseif ( 'nonce' == $scheme ) { + if ( defined('NONCE_KEY') && ('' != NONCE_KEY) && ( $wp_default_secret_key != NONCE_KEY) ) + $secret_key = NONCE_KEY; + + if ( defined('NONCE_SALT') ) { + $salt = NONCE_SALT; + } else { + $salt = get_option('nonce_salt'); + if ( empty($salt) ) { + $salt = wp_generate_password(); + update_option('nonce_salt', $salt); + } + } } else { // ensure each auth scheme has its own unique salt $salt = hash_hmac('md5', $scheme, $secret_key);