[wp-trac] [WordPress Trac] #41617: wp_verify_nonce() check fails on several websites because of filter possibility in wp_nonce_tick()
WordPress Trac
noreply at wordpress.org
Sat Aug 12 08:58:43 UTC 2017
#41617: wp_verify_nonce() check fails on several websites because of filter
possibility in wp_nonce_tick()
-------------------------------------------------+-------------------------
Reporter: ReneHermi | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: critical | Version: 4.8.1
Keywords: dev-feedback 2nd-opinion needs- | Resolution:
patch | Focuses:
-------------------------------------------------+-------------------------
Changes (by ReneHermi):
* keywords: => dev-feedback 2nd-opinion needs-patch
* component: General => Security
* severity: normal => critical
Comment:
Change pluggable.php
{{{
function wp_nonce_tick() {
/**
* Filters the lifespan of nonces in seconds.
*
* @since 2.5.0
*
* @param int $lifespan Lifespan of nonces in seconds. Default
86,400 seconds, or one day.
*/
$nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );
return ceil(time() / ( $nonce_life / 2 ));
}
}}}
To
{{{
function wp_nonce_tick() {
return ceil(time() / ( DAY_IN_SECONDS / 2 ));
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41617#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list