[wp-trac] [WordPress Trac] #21495: wp_insert_user allows a user to be created with empty passwords
WordPress Trac
noreply at wordpress.org
Fri Oct 4 15:45:13 UTC 2013
#21495: wp_insert_user allows a user to be created with empty passwords
-------------------------------------+------------------------------
Reporter: ancawonka | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: minor | Resolution:
Keywords: has-patch needs-testing |
-------------------------------------+------------------------------
Comment (by cklosows):
I was in for the patch refresh, but I think the original thought was to
match up the 'insert' method with the 'edit' method so they both require a
password? Is that what you were hoping for @ancawonka?
I could see how there might be a few use cases. It appears that core and
the official iOS app handle this by not being able to accept an empty (or
all spaces) password string. Would updating this method to not allow empty
password strings be in line with the move towards a stronger password
requirement in admin though? Are there any cases where a non-official app
could send an authentication request with an empty password string that
core wouldn't fail validation on? wp-login.php doesn't accept one via
POST.
Just throwing out possible points of interest on the discussion...
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21495#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list