Login/Install/User Edit should stripslashes() $_POST data
|Reported by:||dd32||Owned by:|
|Component:||Login and Registration||Keywords:||has-patch 3.2-early|
Following on from #13654 All Login/Registration/Install/User Edit functionality should stripslash $_POST data.
At present, it seems that we do not stripslash at all.
For existing user passwords, we should migrate passwords to their non-stripslashed versions:
[5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.
[5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..
[5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?
[5/31/10 6:35:19 AM] Dion (dd32): yep
Change History (9)
- Cc johan.eenfeldt@… added
- Keywords has-patch added; needs-patch removed
- Keywords 3.2-early added
- Milestone changed from Awaiting Triage to Future Release
comment:5 jeremyfelt — 7 weeks ago
- Component changed from Administration to Login and Registration
- Focuses multisite added