Merge pull request #7147 from maxrice/rest-api-hash-equals
Use hash_equals() for REST API string comparison
This commit is contained in:
commit
cd4b497a2d
|
@ -36,15 +36,17 @@ class WC_API_Authentication {
|
|||
public function authenticate( $user ) {
|
||||
|
||||
// allow access to the index by default
|
||||
if ( '/' === WC()->api->server->path )
|
||||
return new WP_User(0);
|
||||
if ( '/' === WC()->api->server->path ) {
|
||||
return new WP_User( 0 );
|
||||
}
|
||||
|
||||
try {
|
||||
|
||||
if ( is_ssl() )
|
||||
if ( is_ssl() ) {
|
||||
$user = $this->perform_ssl_authentication();
|
||||
else
|
||||
} else {
|
||||
$user = $this->perform_oauth_authentication();
|
||||
}
|
||||
|
||||
// check API key-specific permission
|
||||
$this->check_api_key_permissions( $user );
|
||||
|
@ -165,7 +167,7 @@ class WC_API_Authentication {
|
|||
|
||||
$user_query = new WP_User_Query(
|
||||
array(
|
||||
'meta_key' => 'woocommerce_api_consumer_key',
|
||||
'meta_key' => 'woocommerce_api_consumer_key',
|
||||
'meta_value' => $consumer_key,
|
||||
)
|
||||
);
|
||||
|
@ -188,7 +190,7 @@ class WC_API_Authentication {
|
|||
*/
|
||||
private function is_consumer_secret_valid( WP_User $user, $consumer_secret ) {
|
||||
|
||||
return $user->woocommerce_api_consumer_secret === $consumer_secret;
|
||||
return hash_equals( $user->woocommerce_api_consumer_secret, $consumer_secret );
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -244,7 +246,7 @@ class WC_API_Authentication {
|
|||
|
||||
$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $user->woocommerce_api_consumer_secret, true ) );
|
||||
|
||||
if ( $signature !== $consumer_signature ) {
|
||||
if ( ! hash_equals( $signature, $consumer_signature ) ) {
|
||||
throw new Exception( __( 'Invalid Signature - provided signature does not match', 'woocommerce' ), 401 );
|
||||
}
|
||||
}
|
||||
|
|
|
@ -737,3 +737,33 @@ function wc_get_customer_default_location() {
|
|||
|
||||
return $location;
|
||||
}
|
||||
|
||||
// This function can be removed when WP 3.9.2 or greater is required
|
||||
if ( ! function_exists( 'hash_equals' ) ) :
|
||||
/**
|
||||
* Compare two strings in constant time.
|
||||
*
|
||||
* This function was added in PHP 5.6.
|
||||
* It can leak the length of a string.
|
||||
*
|
||||
* @since 3.9.2
|
||||
*
|
||||
* @param string $a Expected string.
|
||||
* @param string $b Actual string.
|
||||
* @return bool Whether strings are equal.
|
||||
*/
|
||||
function hash_equals( $a, $b ) {
|
||||
$a_length = strlen( $a );
|
||||
if ( $a_length !== strlen( $b ) ) {
|
||||
return false;
|
||||
}
|
||||
$result = 0;
|
||||
|
||||
// Do not attempt to "optimize" this.
|
||||
for ( $i = 0; $i < $a_length; $i++ ) {
|
||||
$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
|
||||
}
|
||||
|
||||
return $result === 0;
|
||||
}
|
||||
endif;
|
||||
|
|
Loading…
Reference in New Issue