[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text
WordPress Trac
noreply at wordpress.org
Thu Oct 12 00:59:18 UTC 2017
#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+------------------------
Reporter: tomdxw | Owner: bor0
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.6.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses: multisite
-------------------------+------------------------
Comment (by SergeyBiryukov):
Replying to [comment:12 bor0]:
> Looking at the previous patch I just recalled why I introduced
`signup_id` to the GET parameter.
>
> It's so that we don't need to get all the rows from `$wpdb->signups`,
and call `CheckPassword` on each one of them to see if it matches. We can
get rid of `signup_id` but it's probably faster to do it this way?
I might be missing something, but `wpmu_activate_signup()` only gets one
row (`WHERE activation_key = %s`), why would it get all the rows from
`$wpdb->signups`? I still don't see the need for `signup_id` there.
On a related note, the patch adds a `Signup ID` input to the activation
form. Where the user is supposed to get that value?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list