Make WordPress Core


Ignore:
Timestamp:
11/29/2017 03:51:19 PM (7 years ago)
Author:
johnbillion
Message:

Hardening: Use a properly generated hash for the newbloguser key instead of a determinate substring.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/user-new.php

    r41661 r42258  
    7676            }
    7777        } else {
    78             $newuser_key = substr( md5( $user_id ), 0, 5 );
     78            $newuser_key = wp_generate_password( 20, false );
    7979            add_option( 'new_user_' . $newuser_key, array( 'user_id' => $user_id, 'email' => $user_details->user_email, 'role' => $_REQUEST[ 'role' ] ) );
    8080
Note: See TracChangeset for help on using the changeset viewer.