[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text

WordPress Trac noreply at wordpress.org
Thu Oct 12 00:59:18 UTC 2017


#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+------------------------
 Reporter:  tomdxw       |       Owner:  bor0
     Type:  enhancement  |      Status:  assigned
 Priority:  normal       |   Milestone:  5.0
Component:  Security     |     Version:  4.6.1
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |     Focuses:  multisite
-------------------------+------------------------

Comment (by SergeyBiryukov):

 Replying to [comment:12 bor0]:
 > Looking at the previous patch I just recalled why I introduced
 `signup_id` to the GET parameter.
 >
 > It's so that we don't need to get all the rows from `$wpdb->signups`,
 and call `CheckPassword` on each one of them to see if it matches. We can
 get rid of `signup_id` but it's probably faster to do it this way?

 I might be missing something, but `wpmu_activate_signup()` only gets one
 row (`WHERE activation_key = %s`), why would it get all the rows from
 `$wpdb->signups`? I still don't see the need for `signup_id` there.

 On a related note, the patch adds a `Signup ID` input to the activation
 form. Where the user is supposed to get that value?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list