Opened 5 years ago
Closed 5 years ago
#10714 closed enhancement (wontfix)
Bail out from password reset for invalid keys
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 2.8.4 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
The key protecting the password reset event is a string of a known length of characters from a known character set.
Nevertheless, on the receiving end WordPress tries to filter out invalid characters from the key despite knowing that these must not be there in the first place.
I suggest to simply refuse working with invalid keys and handle that as an error condition.
Attachments (1)
Change History (2)
Note: See
TracTickets for help on using
tickets.
wp_generate_password() is pluggable, and (as of 3.0) filterable. Best not to muck with this. It works fine as is.