From 2d974987dc854f12432ec8d06bea749ba28b8e31 Mon Sep 17 00:00:00 2001 From: Max Rice Date: Mon, 19 Jan 2015 00:34:09 -0500 Subject: [PATCH] Check strings using hash_equals time-constant string comparison to prevent timing attacks --- includes/api/class-wc-api-authentication.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/api/class-wc-api-authentication.php b/includes/api/class-wc-api-authentication.php index 1fdf61e3de4cc..056e5b4d472e0 100644 --- a/includes/api/class-wc-api-authentication.php +++ b/includes/api/class-wc-api-authentication.php @@ -190,7 +190,7 @@ private function get_user_by_consumer_key( $consumer_key ) { */ private function is_consumer_secret_valid( WP_User $user, $consumer_secret ) { - return $user->woocommerce_api_consumer_secret === $consumer_secret; + return hash_equals( $user->woocommerce_api_consumer_secret, $consumer_secret ); } /** @@ -246,7 +246,7 @@ private function check_oauth_signature( $user, $params ) { $signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $user->woocommerce_api_consumer_secret, true ) ); - if ( $signature !== $consumer_signature ) { + if ( ! hash_equals( $signature, $consumer_signature ) ) { throw new Exception( __( 'Invalid Signature - provided signature does not match', 'woocommerce' ), 401 ); } }