[wp-trac] [WordPress Trac] #10714: Bail out from password reset for invalid keys
WordPress Trac
wp-trac at lists.automattic.com
Tue Sep 1 16:24:35 UTC 2009
#10714: Bail out from password reset for invalid keys
-------------------------+--------------------------------------------------
Reporter: wet | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Unassigned
Component: General | Version: 2.8.4
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
The key protecting the password reset event is
[http://core.trac.wordpress.org/browser/trunk/wp-login.php?rev=11874#L155
a string of a known length of characters from a known character set].
Nevertheless, on the receiving end WordPress tries to
[http://core.trac.wordpress.org/browser/trunk/wp-login.php?rev=11874#L188
filter out invalid characters] from the key despite knowing that these
must not be there in the first place.
I suggest to simply refuse working with invalid keys and handle that as an
error condition.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10714>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list