Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7147 from maxrice/rest-api-hash-equals 

Use hash_equals() for REST API string comparison
This commit is contained in:
Mike Jolley 2015-01-19 10:03:23 +00:00
parent b896c5063f 2d974987dc
commit cd4b497a2d
2 changed files with 39 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
includes/api/class-wc-api-authentication.php
View File

@ -36,15 +36,17 @@ class WC_API_Authentication {
public function authenticate( $user ) { public function authenticate( $user ) {
// allow access to the index by default // allow access to the index by default
if ( '/' === WC()->api->server->path ) if ( '/' === WC()->api->server->path ) {
return new WP_User(0); return new WP_User( 0 );
}
try { try {
if ( is_ssl() ) if ( is_ssl() ) {
$user = $this->perform_ssl_authentication(); $user = $this->perform_ssl_authentication();
else } else {
$user = $this->perform_oauth_authentication(); $user = $this->perform_oauth_authentication();
}
// check API key-specific permission // check API key-specific permission
$this->check_api_key_permissions( $user ); $this->check_api_key_permissions( $user );
@ -188,7 +190,7 @@ class WC_API_Authentication {
*/ */
private function is_consumer_secret_valid( WP_User $user, $consumer_secret ) { private function is_consumer_secret_valid( WP_User $user, $consumer_secret ) {
return $user->woocommerce_api_consumer_secret === $consumer_secret; return hash_equals( $user->woocommerce_api_consumer_secret, $consumer_secret );
} }
/** /**
@ -244,7 +246,7 @@ class WC_API_Authentication {
$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $user->woocommerce_api_consumer_secret, true ) ); $signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $user->woocommerce_api_consumer_secret, true ) );
if ( $signature !== $consumer_signature ) { if ( ! hash_equals( $signature, $consumer_signature ) ) {
throw new Exception( __( 'Invalid Signature - provided signature does not match', 'woocommerce' ), 401 ); throw new Exception( __( 'Invalid Signature - provided signature does not match', 'woocommerce' ), 401 );
} }
} }

30
includes/wc-core-functions.php
View File

@ -737,3 +737,33 @@ function wc_get_customer_default_location() {
return $location; return $location;
} }
// This function can be removed when WP 3.9.2 or greater is required
if ( ! function_exists( 'hash_equals' ) ) :
/**
* Compare two strings in constant time.
*
* This function was added in PHP 5.6.
* It can leak the length of a string.
*
* @since 3.9.2
*
* @param string $a Expected string.
* @param string $b Actual string.
* @return bool Whether strings are equal.
*/
function hash_equals( $a, $b ) {
$a_length = strlen( $a );
if ( $a_length !== strlen( $b ) ) {
return false;
}
$result = 0;
// Do not attempt to "optimize" this.
for ( $i = 0; $i < $a_length; $i++ ) {
$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
}
return $result === 0;
}
endif;