[wp-trac] [WordPress Trac] #63829: Sanitize return value of 'nonce_life' filters in wp_nonce_tick() to avoid DivisionByZeroError
WordPress Trac
noreply at wordpress.org
Fri Aug 15 14:01:51 UTC 2025
#63829: Sanitize return value of 'nonce_life' filters in wp_nonce_tick() to avoid
DivisionByZeroError
-------------------------+-----------------------------
Reporter: marian1 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
`wp_nonce_tick()` uses the return value of a `nonce_life` filter in a
division. If that filter returns zero, or any other value that evaluates
to zero in a numeric context, `wp_nonce_tick()` will perform a division by
zero. This results in a `DivisionByZeroError` on PHP 8, or a warning with
a return value of `float(INF)` on PHP 7.
{{{#!php
<?php
$nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS, $action );
return ceil( time() / ( $nonce_life / 2 ) );
}}}
Values received from filters should be validated and sanitised before use.
In this case, `wp_nonce_tick()` should handle invalid values gracefully by
falling back to the default lifespan when the filtered value is not a
positive integer.
For example:
{{{#!php
<?php
$nonce_life = (int) apply_filters( 'nonce_life', DAY_IN_SECONDS, $action
);
if ( $nonce_life <= 0 ) {
$nonce_life = DAY_IN_SECONDS;
}
}}}
This would prevent fatal errors when a filter (mistakenly) returns a value
that evaluates to zero.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63829>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list