WordPress.org

Make WordPress Core

Changeset 42276 for branches/4.6


Ignore:
Timestamp:
11/29/2017 04:20:50 PM (3 years ago)
Author:
johnbillion
Message:

Hardening: Use a properly generated hash for the newbloguser key instead of a determinate substring.

Merges [42258] to the 4.6 branch.

Location:
branches/4.6
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.6

  • branches/4.6/src/wp-admin/user-new.php

    r38064 r42276  
    7171            $redirect = add_query_arg( array( 'update' => 'addnoconfirmation' , 'user_id' => $user_id ), 'user-new.php' );
    7272        } else {
    73             $newuser_key = substr( md5( $user_id ), 0, 5 );
     73            $newuser_key = wp_generate_password( 20, false );
    7474            add_option( 'new_user_' . $newuser_key, array( 'user_id' => $user_id, 'email' => $user_details->user_email, 'role' => $_REQUEST[ 'role' ] ) );
    7575
Note: See TracChangeset for help on using the changeset viewer.