[wp-trac] [WordPress Trac] #55536: Make sure wp_generate_password() never generates a string containing 0x to prevent blocking from mod_security
WordPress Trac
noreply at wordpress.org
Sun Apr 10 00:08:50 UTC 2022
#55536: Make sure wp_generate_password() never generates a string containing 0x to
prevent blocking from mod_security
--------------------------+----------------------
Reporter: ReneHermi | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by peterwilsoncc):
* milestone: Awaiting Review =>
Comment:
Thanks for following up again.
Given it is working with passwords, I think your decision to close was for
the best. Preventing certain combinations of passwords that work seems
unwise.
When adopting the function for other purposes, I suggest something like
this to avoid problems:
{{{#!php
<?php
do {
$password = wp_generate_password();
} while ( str_starts_with( $password, '0x' ) )
}}}
`str_starts_with` is available in PHP 8.0 and WP 5.9 and above. Also,
please test my code above in case I've had a brain fade :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55536#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list