[buddypress-trac] [BuddyPress Trac] #7914: Possibilities of duplicate activation_key.
buddypress-trac
noreply at wordpress.org
Wed Jul 4 14:03:47 UTC 2018
#7914: Possibilities of duplicate activation_key.
--------------------------+-----------------------------
Reporter: singhleo | Owner: (none)
Type: enhancement | Status: new
Priority: omg pizza | Milestone: Awaiting Review
Component: Registration | Version: 3.0.0
Severity: normal | Keywords:
--------------------------+-----------------------------
In buddypress signup process we are generating activation_key using
`wp_generate_password` function without checking previous generated keys
existence in database.
I know that string generated using wp_generate_password have very very
less chance generating matching key. but still that is possible I think.
Issue can be caused having if signup table have duplicate activation_key
are.
1. We only send user activation email appending in activation key in
activation URL via email. Because of that activation key can activate
another user account instead of one who is performing it activation.
Some Solutions.
1. By adding relation with signup_id or user email on activation link. and
validation the activation_key in relation with user email or signup_id.
2. Or Generating a unique activation_key by checking on db. (can be a
heavy queries if signup has alot of data)
3. Add Prefix of signup_id on activation_key generated by
wp_generate_password(). activation_key field allow us to have 50 chars and
wp_generate_password is generating 32 char length key, So I think it will
be fine if we add prefix of signup_id to make it unique.
----
File bp-members-functions.php line no 1697.
Thanks,
Sorry for my english :).
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7914>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list