[wp-hackers] Changeset 11804
Thomas Scholz
info at toscho.de
Tue Aug 11 14:13:29 UTC 2009
Andrew Ozz:
> Could we get some testing and more "eyes" on
> https://core.trac.wordpress.org/changeset/11804 (for the 2.8 branch) or
> [11801], [11802] and [11803] for trunk. They fix an annoyance in
> wp-login.php where the password could be reset without the user
> realizing it.
Where is the bug for this? I know
<http://core.trac.wordpress.org/changeset/11798> and there are maybe more.
But I couldn’t find the bug discussion.
I tried to fix this in my own installation:
- $key = preg_replace('/[^a-z0-9]/i', '', $key);
+ if ( !is_string($key) or (!preg_match('/[^a-z0-9]/i', $key) ) )
{
// This could be done much better …
die('Go away!');
}
Changeset 11798 for example doesn’t look for U+00A0 ( ), U+0000 etc.
Could this be a problem?
Thomas
--
Redaktion, Druck- und Webdesign
http://toscho.de · 0160/1764727
Twitter: @toscho
More information about the wp-hackers
mailing list