[wp-hackers] Changeset 11804

Thomas Scholz info at toscho.de
Tue Aug 11 14:13:29 UTC 2009


Andrew Ozz:

> Could we get some testing and more "eyes" on  
> https://core.trac.wordpress.org/changeset/11804 (for the 2.8 branch) or  
> [11801], [11802] and [11803] for trunk. They fix an annoyance in  
> wp-login.php where the password could be reset without the user  
> realizing it.

Where is the bug for this? I know  
<http://core.trac.wordpress.org/changeset/11798> and there are maybe more.  
But I couldn’t find the bug discussion.


I tried to fix this in my own installation:

- $key = preg_replace('/[^a-z0-9]/i', '', $key);
+ if ( !is_string($key) or (!preg_match('/[^a-z0-9]/i', $key) ) )
	{
		// This could be done much better …
		die('Go away!');
	}

Changeset 11798 for example doesn’t look for U+00A0 (&nbsp;), U+0000 etc.

Could this be a problem?

Thomas

-- 
Redaktion, Druck- und Webdesign
http://toscho.de · 0160/1764727
Twitter: @toscho


More information about the wp-hackers mailing list