[buddypress-trac] [BuddyPress] #2289: Spam accounts bypassing 'bp_signup_validate' action [HAS PATCH]

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Tue Apr 6 21:23:05 UTC 2010

#2289: Spam accounts bypassing 'bp_signup_validate' action [HAS PATCH]
 Reporter:  rvenable  |       Owner:           
     Type:  defect    |      Status:  new      
 Priority:  major     |   Milestone:  1.2.4    
Component:  Core      |    Keywords:  has-patch
 I have a function hooked onto the 'bp_signup_validate' action in which I
 validate user signups. It works correctly when going through the normal
 signup steps, but somehow spammers are able to create accounts that aren't
 validated by the 'bp_signup_validate' action.

 I'm not sure how they are doing it exactly, but I did find some code in
 bp-core-signup that appears to provide a hole for spammers. The
 bp_core_wpsignup_redirect() function calls wp_redirect to redirect from
 wp-signup.php to the BP register page, but it doesn't call die() after
 redirect, so it would appear that the wp-signup.php code would still get
 executed. The correct function to call would be bp_core_redirect() (see
 attached patch) or at least call die() after wp_redirect().

Ticket URL: <http://trac.buddypress.org/ticket/2289>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list