WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#10714 closed enhancement (wontfix)

Bail out from password reset for invalid keys

Reported by: wet Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.8.4
Component: General Keywords:
Focuses: Cc:

Description

The key protecting the password reset event is a string of a known length of characters from a known character set.

Nevertheless, on the receiving end WordPress tries to filter out invalid characters from the key despite knowing that these must not be there in the first place.

I suggest to simply refuse working with invalid keys and handle that as an error condition.

Attachments (1)

wp-login-rp-11893.patch (487 bytes) - added by wet 5 years ago.

Download all attachments as: .zip

Change History (2)

@wet5 years ago

comment:1 @nacin5 years ago

  • Milestone Unassigned deleted
  • Resolution set to wontfix
  • Status changed from new to closed

wp_generate_password() is pluggable, and (as of 3.0) filterable. Best not to muck with this. It works fine as is.

Note: See TracTickets for help on using tickets.