[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text
WordPress Trac
noreply at wordpress.org
Wed Oct 11 20:39:42 UTC 2017
#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+------------------------
Reporter: tomdxw | Owner: bor0
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.6.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses: multisite
-------------------------+------------------------
Changes (by bor0):
* keywords: needs-patch => has-patch
Comment:
Hey @jeremyfelt!
Looking at the previous patch I just recalled why I introduced `signup_id`
to the GET parameter.
It's so that we don't need to get all the rows from `$wpdb->signups`, and
call `CheckPassword` on each one of them to see if it matches. We can get
rid of `signup_id` but it's probably faster to do it this way?
In #24783 they use the same approach, but use `user_login` instead of
`signup_id`. However, we don't have `user_login` in this context.
In any case I updated the patch to throw a `WP_Error` in the case of `$key
=== $signup->activation_key` for legacy data, and also did some code style
fixes and updated the filters to contain the hashed key as well.
Let me know how that looks and we can go from there.
Thanks!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list