[wp-trac] [WordPress Trac] #47192: Allow users to enter recovery mode via their registered email
WordPress Trac
noreply at wordpress.org
Sun May 19 22:45:21 UTC 2019
#47192: Allow users to enter recovery mode via their registered email
----------------------------------+------------------------------
Reporter: spacedmonkey | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.2
Severity: normal | Resolution:
Keywords: servehappy has-patch | Focuses:
----------------------------------+------------------------------
Comment (by TimothyBlynJacobs):
I think its tough to discuss the possible security ramifications without a
working patch. Off the bat, I don't see the same timing related issue
because it looks like the permissions check is happening at a normal time.
However, forcing recovery mode like this does worry me. But again, hard to
say without digging into it.
-----
As an aside, we shouldn't expose the email service. That is an
implementation detail of the recovery mode controller. Instead, the
request actions should probably be processed inside `WP_Recvoery_Mode` so
it can pass the selected email address to
`maybe_send_recovery_mode_email`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47192#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list