[wp-trac] Re: [WordPress Trac] #6842: Password reset links produce invalid keys

Tue Apr 29 17:42:10 GMT 2008

#6842: Password reset links produce invalid keys
------------------------+---------------------------------------------------
 Reporter:  MtDewVirus  |        Owner:  anonymous
     Type:  defect      |       Status:  reopened 
 Priority:  normal      |    Milestone:  2.5.2    
Component:  Security    |      Version:  2.5.1    
 Severity:  normal      |   Resolution:           
 Keywords:              |  
------------------------+---------------------------------------------------
Changes (by Otto42):

  * status:  closed => reopened
  * version:  2.6 => 2.5.1
  * resolution:  fixed =>
  * milestone:  => 2.5.2

Comment:

 This fix is incomplete. If the user_activation_key field contains any of
 these special characters, then a valid key will not be generated. So
 people who upgrade from the broken 2.5.1 to a fixed 2.5.2 will need to
 manually clear their activation keys, or the code needs to be altered to
 recognize broken keys and replace them anyway.

 Suggestion: Code in wp-login.php:
 {{{
 $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM
 $wpdb->users WHERE user_login = %s", $user_login));
         if ( empty($key) ) {
 }}}

 Change the if check to this:
 {{{
         if ( empty($key) || preg_match('/[^a-z0-9]/i',$key) != 0) {
 }}}

 Which basically says that if it finds any characters that are not a-z0-9,
 then it'll regenerate.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6842#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software