[wp-trac] [WordPress Trac] #32429: Password reset links should expire
WordPress Trac
noreply at wordpress.org
Thu Jun 18 23:11:36 UTC 2015
#32429: Password reset links should expire
--------------------------+--------------------------
Reporter: markjaquith | Owner: markjaquith
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 4.3
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+--------------------------
Changes (by johnbillion):
* keywords: has-patch needs-unit-tests => has-patch
* owner: johnbillion => markjaquith
Comment:
[attachment:32429.tests.diff] introduces tests for:
* Valid, invalid (including truncated), and empty keys.
* Valid, invalid, and empty keys when a user has a legacy
`user_activation_key`.
* Valid, invalid, and empty keys when a user has a non-hashed
`user_activation_key`.
* Invalid and empty keys when a user has no `user_activation_key`.
The tests currently fail because legacy keys are being rejected as expired
(using [attachment:32429.4.diff]). As Nacin mentioned above, we could
actually invalidate these, otherwise a years old key that exists prior to
4.3 will remain valid until a new one is generated.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32429#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list