[wp-trac] [WordPress Trac] #41617: wp_verify_nonce() check fails on several websites because of filter possibility in wp_nonce_tick()

[WordPress Trac]

#41617: wp_verify_nonce() check fails on several websites because of filter
possibility in wp_nonce_tick()
-------------------------------------------------+-------------------------
 Reporter:  ReneHermi                            |       Owner:
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
Component:  Security                             |  Review
 Severity:  critical                             |     Version:  4.8.1
 Keywords:  dev-feedback 2nd-opinion needs-      |  Resolution:
  patch                                          |     Focuses:
-------------------------------------------------+-------------------------
Changes (by ReneHermi):

 * keywords:   => dev-feedback 2nd-opinion needs-patch
 * component:  General => Security
 * severity:  normal => critical


Comment:

 Change pluggable.php


 {{{
 function wp_nonce_tick() {
         /**
          * Filters the lifespan of nonces in seconds.
          *
          * @since 2.5.0
          *
          * @param int $lifespan Lifespan of nonces in seconds. Default
 86,400 seconds, or one day.
          */
         $nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );

         return ceil(time() / ( $nonce_life / 2 ));
 }
 }}}


 To

 {{{
 function wp_nonce_tick() {
         return ceil(time() / ( DAY_IN_SECONDS / 2 ));
 }
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/41617#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform