Ticket #10714 (closed enhancement: wontfix)

Opened 2 years ago

Last modified 23 months ago

Bail out from password reset for invalid keys

Reported by: wet Owned by:
Priority: normal Milestone:
Component: General Version: 2.8.4
Severity: normal Keywords:
Cc:

Description

The key protecting the password reset event is a string of a known length of characters from a known character set.

Nevertheless, on the receiving end WordPress tries to filter out invalid characters from the key despite knowing that these must not be there in the first place.

I suggest to simply refuse working with invalid keys and handle that as an error condition.

Attachments

wp-login-rp-11893.patch Download (487 bytes) - added by wet 2 years ago.

Change History

wet2 years ago

comment:1   nacin23 months ago

  • Status changed from new to closed
  • Resolution set to wontfix
  • Milestone Unassigned deleted

wp_generate_password() is pluggable, and (as of 3.0) filterable. Best not to muck with this. It works fine as is.

Note: See TracTickets for help on using tickets.