[wp-trac] [WordPress Trac] #50510: Improve security of wp_nonce implementation
WordPress Trac
noreply at wordpress.org
Tue Jul 11 00:49:57 UTC 2023
#50510: Improve security of wp_nonce implementation
--------------------------+------------------------------
Reporter: chaoix | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: dev-feedback | Focuses:
--------------------------+------------------------------
Comment (by kkmuffme):
I think this is definitely something that could be added easily, however
the PR needs a bit of work.
- Why do you hash the user agent, when you then hash everything later on
anyway?
- the user agent might not be set if the request comes from PHP CLI, atm
this produces a notice in the patch
- redudant code line 26/27?
- always use SHA512, since it's faster
- why truncate to 64 characters?
- hash_hmac seems useless as well as the explode making it unnecssarily
complex/slow
- duplicate code with the user agent in 2 functions
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50510#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list