[wp-hackers] Changeset 11804
Chris Jean
gaarai at gaarai.com
Tue Aug 11 19:32:33 UTC 2009
The code actually has that exact test in it. wp-login.php line 190-191:
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
What it's not doing is a check for an array, which is why this works. So
not only do you have to validate, you have to type check.
Chris Jean
http://gaarai.com/
http://wp-roadmap.com/
http://dnsyogi.com/
Otto wrote:
> Ahhh. Well, in that case it makes more sense to simply disallow blank
> activation keys to be passed into the function then. Validate your
> inputs.
>
> if empty($key) die "don't hack me you bastard"; // or similar ;)
>
> Yes, you can force user confirmation as well, but that's not really
> solving the problem at hand, just adding another uniqueness test to
> find the correct user to reset the password for.
>
>
> -Otto
> Sent from Memphis, TN, United States
More information about the wp-hackers
mailing list