[wp-trac] [WordPress Trac] #55536: Make sure wp_generate_password() never generates a string containing 0x to prevent blocking from mod_security

WordPress Trac noreply at wordpress.org
Sun Apr 10 00:08:50 UTC 2022


#55536: Make sure wp_generate_password() never generates a string containing 0x to
prevent blocking from mod_security
--------------------------+----------------------
 Reporter:  ReneHermi     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |     Focuses:
--------------------------+----------------------
Changes (by peterwilsoncc):

 * milestone:  Awaiting Review =>


Comment:

 Thanks for following up again.

 Given it is working with passwords, I think your decision to close was for
 the best. Preventing certain combinations of passwords that work seems
 unwise.

 When adopting the function for other purposes, I suggest something like
 this to avoid problems:

 {{{#!php
 <?php
 do {
   $password = wp_generate_password();
 } while ( str_starts_with( $password, '0x' ) )
 }}}

 `str_starts_with` is available in PHP 8.0 and WP 5.9 and above. Also,
 please test my code above in case I've had a brain fade :)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55536#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list