[wp-trac] [WordPress Trac] #13655: Login/Install/User Edit should stripslashes() $_POST data
WordPress Trac
wp-trac at lists.automattic.com
Mon May 31 11:33:17 UTC 2010
#13655: Login/Install/User Edit should stripslashes() $_POST data
----------------------------+-----------------------------------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.1
Component: Administration | Version: 3.0
Severity: normal | Keywords: needs-patch
----------------------------+-----------------------------------------------
Following on from #13654 All Login/Registration/Install/User Edit
functionality should stripslash $_POST data.
At present, it seems that we do not stripslash at all.
For existing user passwords, we should migrate passwords to their non-
stripslashed versions:
[5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.[[BR]]
[5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper
stripslashing in 3.1, and add back-compat to change password from non-
stripslashed to stripslashed.. similar to the md5->phpass
implementation..[[BR]]
[5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match,
addslashes() and compare again. If that matches, set the new PW hash.
Right?[[BR]]
[5/31/10 6:35:19 AM] Dion (dd32): yep
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13655>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list