[wp-trac] [WordPress Trac] #32429: Password reset links should expire

WordPress Trac noreply at wordpress.org
Thu Jun 18 23:11:36 UTC 2015


#32429: Password reset links should expire
--------------------------+--------------------------
 Reporter:  markjaquith   |       Owner:  markjaquith
     Type:  defect (bug)  |      Status:  reviewing
 Priority:  normal        |   Milestone:  4.3
Component:  Security      |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+--------------------------
Changes (by johnbillion):

 * keywords:  has-patch needs-unit-tests => has-patch
 * owner:  johnbillion => markjaquith


Comment:

 [attachment:32429.tests.diff] introduces tests for:

  * Valid, invalid (including truncated), and empty keys.
  * Valid, invalid, and empty keys when a user has a legacy
 `user_activation_key`.
  * Valid, invalid, and empty keys when a user has a non-hashed
 `user_activation_key`.
  * Invalid and empty keys when a user has no `user_activation_key`.

 The tests currently fail because legacy keys are being rejected as expired
 (using [attachment:32429.4.diff]). As Nacin mentioned above, we could
 actually invalidate these, otherwise a years old key that exists prior to
 4.3 will remain valid until a new one is generated.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32429#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list