[wp-trac] [WordPress Trac] #44230: Export Personal Data Flaw
WordPress Trac
noreply at wordpress.org
Fri May 25 15:55:46 UTC 2018
#44230: Export Personal Data Flaw
-------------------------------------+------------------------------
Reporter: psycleuk | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 4.9.6
Severity: major | Resolution:
Keywords: close reporter-feedback | Focuses:
-------------------------------------+------------------------------
Changes (by johnbillion):
* keywords: => close reporter-feedback
Comment:
Thanks for the report, @psycleuk.
> The zip file is then publicly accessible to anyone that could work out
the url for 3 days by default.
The randomised string that gets appended to the file name has a length of
32 characters, and is generated by `wp_generate_password()` from a pool of
62 possible characters. This gives it an entropy of `32^62`, which is a
number containing over ninety digits.
Brute force guessing such a filename is therefore out of the question. Are
you aware of a means of pre-calculating the filename?
Note also that the directory listing is not readable due to the existence
of the `index.html` file in the directory.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44230#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list