WordPress.org
Get WordPress

Plugin Directory

Changeset 2310258


Ignore:
Timestamp:
05/22/2020 02:58:57 PM (6 years ago)
Author:
emfluencekc
Message:

Security refinement per Wordpress plugin review comments

Location:
multisite-multidomain-single-sign-on/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • multisite-multidomain-single-sign-on/trunk/multisite-multidomain-single-sign-on.php

    r2305137 r2310258  
    33Plugin Name: Multisite Multidomain Single Sign On
    44Description: Automatically sign the user in to separate-domain sites of the same multisite installation, when switching sites using the My Sites links in the admin menu. Note that the user already has to be logged into a site in the network, this plugin just cuts down on having to log in again due to cookie isolation between domains. Note: This plugin must be installed on all sites in a network in order to work.
    5 Version: 1.1
     5Version: 1.2
    66Requires at least: 5.0
    77Tested up to: 5.4.1
     
    8383    $current_user = wp_get_current_user();
    8484    $expires = strtotime('+2 minutes');
    85     $hash = $this->hash(intval($current_user->ID) . '||' . intval($expires));
     85
     86    /*
     87     * The user's password hash is a user-specific, expirable, private piece of information
     88     * that prevents brute force hacking of the salt if an attacker has the query parameters.
     89     */
     90    $user_pass_hash = $this->get_user_password_hash($current_user->ID);
     91    if(empty($user_pass_hash)) {
     92      wp_die('Single Sign On failed. Your password hash was empty. Try changing your Wordpress password.');
     93    }
     94
     95    $hash = $this->hash(implode('||', [intval($current_user->ID), intval($expires), $user_pass_hash]));
    8696    if(empty($hash)) {
    8797      wp_die('Single Sign On failed. The network needs a secure salt.');
     
    116126
    117127    if($expires < time()) {
    118       wp_die('Your Single Sing On link has expired. Please return to the dashboard and try again.');
     128      wp_die('Your Single Sign On link has expired. Please return to the dashboard and try again.');
    119129    }
    120     $expected_hash = $this->hash($user_id . '||' . $expires);
     130    $user_pass_hash = $this->get_user_password_hash($user_id);
     131    $expected_hash = $this->hash(implode('||', [intval($user_id), intval($expires), $user_pass_hash]));
    121132    if(empty($expected_hash)) {
    122133      wp_die('Single Sign On failed. The network needs a secure salt.');
     
    137148
    138149  /**
     150   * @param int $uid
     151   * @return string|null
     152   */
     153  protected function get_user_password_hash($uid) {
     154    global $wpdb;
     155    return $wpdb->get_var($wpdb->prepare("SELECT user_pass FROM {$wpdb->users} WHERE ID = %d", $uid)); // phpcs:ignore WordPressVIPMinimum.Variables.RestrictedVariables.user_meta__wpdb__users
     156  }
     157
     158  /**
    139159   * Create a secure hash that can only be recreated from this Wordpress install's secret salt.
    140160   * @param string $thing

  • multisite-multidomain-single-sign-on/trunk/readme.txt

    r2305137 r2310258  
    66Tested up to: 5.4.1
    77Requires PHP: 7.0
    8 Stable tag: 1.1
     8Stable tag: 1.2
    99License: GPLv2 or later
    1010License URI: https://www.gnu.org/licenses/gpl-2.0.html
Note: See TracChangeset for help on using the changeset viewer.