[wp-trac] [WordPress Trac] #46595: Allow more than one valid recovery mode link
WordPress Trac
noreply at wordpress.org
Wed Apr 3 19:41:27 UTC 2019
#46595: Allow more than one valid recovery mode link
------------------------------------+--------------------------------
Reporter: flixos90 | Owner: timothyblynjacobs
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 5.2
Component: Bootstrap/Load | Version: trunk
Severity: normal | Resolution:
Keywords: needs-patch servehappy | Focuses:
------------------------------------+--------------------------------
Comment (by TimothyBlynJacobs):
This shouldn't be using the nonce API as it isn't a real nonce
implementation, is tied to the current user ( or logged-out user ), and
has its own time limit that will interfere with the filterable TTL.
Instead, the token should be a randomized string, and the token deleted
when it is used. This shouldn't happen in `verify()` but in a separate
method like `delete_key()` which should also check for all other stored
keys that have expired.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46595#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list