[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text
WordPress Trac
noreply at wordpress.org
Thu Oct 12 18:06:19 UTC 2017
#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+------------------------
Reporter: tomdxw | Owner: bor0
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.6.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses: multisite
-------------------------+------------------------
Comment (by bor0):
Replying to [comment:13 SergeyBiryukov]:
> I might be missing something, but `wpmu_activate_signup()` only gets one
row (`WHERE activation_key = %s`), why would it get all the rows from
`$wpdb->signups`? I still don't see the need for `signup_id` there.
This is done so that we catch any legacy activation keys (see check where
`$key === $signup->activation_key`).
Replying to [comment:14 tomdxw]:
> I think it would be appropriate to use a timestamp here also.
I like this approach. Thanks! I will be updating the patch.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list