[buddypress-trac] [BuddyPress] #2289: Spam accounts bypassing 'bp_signup_validate' action [HAS PATCH]
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Tue Apr 6 21:23:05 UTC 2010
#2289: Spam accounts bypassing 'bp_signup_validate' action [HAS PATCH]
----------------------+-----------------------------------------------------
Reporter: rvenable | Owner:
Type: defect | Status: new
Priority: major | Milestone: 1.2.4
Component: Core | Keywords: has-patch
----------------------+-----------------------------------------------------
I have a function hooked onto the 'bp_signup_validate' action in which I
validate user signups. It works correctly when going through the normal
signup steps, but somehow spammers are able to create accounts that aren't
validated by the 'bp_signup_validate' action.
I'm not sure how they are doing it exactly, but I did find some code in
bp-core-signup that appears to provide a hole for spammers. The
bp_core_wpsignup_redirect() function calls wp_redirect to redirect from
wp-signup.php to the BP register page, but it doesn't call die() after
redirect, so it would appear that the wp-signup.php code would still get
executed. The correct function to call would be bp_core_redirect() (see
attached patch) or at least call die() after wp_redirect().
--
Ticket URL: <http://trac.buddypress.org/ticket/2289>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list