WordPress.org
Get WordPress

Make WordPress Core

Changeset 42312 for branches/3.7


Ignore:
Timestamp:
11/29/2017 04:48:28 PM (7 years ago)
Author:
johnbillion
Message:

Hardening: Use a properly generated hash for the newbloguser key instead of a determinate substring.

Merges [42258] to the 3.7 branch.

Location:
branches/3.7
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-admin/user-new.php

    r25881 r42312  
    7373            $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
    7474        } else {
    75             $newuser_key = substr( md5( $user_id ), 0, 5 );
     75            $newuser_key = wp_generate_password( 20, false );
    7676            add_option( 'new_user_' . $newuser_key, array( 'user_id' => $user_id, 'email' => $user_details->user_email, 'role' => $_REQUEST[ 'role' ] ) );
    7777
Note: See TracChangeset for help on using the changeset viewer.