Skip to:
Content

BuddyPress.org

Changeset 10800


Ignore:
Timestamp:
05/24/2016 02:34:37 PM (8 years ago)
Author:
boonebgorges
Message:

Better hash building for activation keys, password reset keys, and filenames.

There is no need to use user-facing info for these hashes.

Props DJPaul, vortfu.

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-core/classes/class-bp-attachment-avatar.php

    r10417 r10800  
    293293            }
    294294
    295             $args['dst_file'] = $avatar_folder_dir . '/' . wp_hash( $absolute_path . time() ) . '-bp' . $key_type . '.' . $ext;
     295            $filename         = wp_unique_filename( $avatar_folder_dir, uniqid() . "-bp{$key_type}.{$ext}" );
     296            $args['dst_file'] = $avatar_folder_dir . '/' . $filename;
    296297
    297298            $avatar_types[ $key_type ] = parent::crop( $args );
  • trunk/src/bp-core/classes/class-bp-attachment-cover-image.php

    r10417 r10800  
    209209        }
    210210
    211         $info    = pathinfo( $file );
    212         $dir     = $info['dirname'];
    213         $ext     = strtolower( $info['extension'] );
    214         $name    = wp_hash( $file . time() ) . '-bp-cover-image';
    215 
    216         return trailingslashit( $dir ) . "{$name}.{$ext}";
     211        $info = pathinfo( $file );
     212        $ext  = strtolower( $info['extension'] );
     213        $name = wp_unique_filename( $info['dirname'], uniqid() . "-bp-cover-image.$ext" );
     214
     215        return trailingslashit( $info['dirname'] ) . $name;
    217216    }
    218217
  • trunk/src/bp-members/bp-members-functions.php

    r10774 r10800  
    18401840        $user_login     = preg_replace( '/\s+/', '', sanitize_user( $user_login, true ) );
    18411841        $user_email     = sanitize_email( $user_email );
    1842         $activation_key = substr( md5( time() . rand() . $user_email ), 0, 16 );
     1842        $activation_key = wp_generate_password( 32, false );
    18431843
    18441844        /**
     
    18621862            }
    18631863
    1864             $activation_key = wp_hash( $user_id );
    18651864            bp_update_user_meta( $user_id, 'activation_key', $activation_key );
    18661865        }
     
    19901989        $user_id = username_exists( $signup->user_login );
    19911990
    1992         // Create the user.
     1991        // Create the user. This should only be necessary if BP_SIGNUPS_SKIP_USER_CREATION is true.
    19931992        if ( ! $user_id ) {
    19941993            $user_id = wp_create_user( $signup->user_login, $password, $signup->user_email );
    19951994
    1996         // If a user ID is found, this may be a legacy signup, or one
    1997         // created locally for backward compatibility. Process it.
    1998         } elseif ( $key == wp_hash( $user_id ) ) {
     1995        // Otherwise, update the existing user's status.
     1996        } elseif ( $key === bp_get_user_meta( $user_id, 'activation_key', true ) || $key === wp_hash( $user_id ) ) {
     1997
    19991998            // Change the user's status so they become active.
    20001999            if ( ! $wpdb->query( $wpdb->prepare( "UPDATE {$wpdb->users} SET user_status = 0 WHERE ID = %d", $user_id ) ) ) {
     
    21562155        // Rebuild the activation key, if missing.
    21572156        if ( empty( $signup->activation_key ) ) {
    2158             $signup->activation_key = wp_hash( $signup->ID );
     2157            $signup->activation_key = wp_generate_password( 32, false );
    21592158        }
    21602159
  • trunk/src/bp-members/bp-members-screens.php

    r10711 r10800  
    370370        }
    371371
    372         $hashed_key = wp_hash( $key );
    373 
    374         // Check if the signup avatar folder exists. If it does, move the folder to
    375         // the BP user avatars directory.
    376         if ( file_exists( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key ) ) {
    377             @rename( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key, bp_core_avatar_upload_path() . '/avatars/' . $user );
    378         }
    379 
    380372        bp_core_add_message( __( 'Your account is now active!', 'buddypress' ) );
    381373        $bp->activation_complete = true;
  • trunk/src/bp-members/classes/class-bp-signup.php

    r10711 r10800  
    747747            $user_id = username_exists( $signup->user_login );
    748748
    749             if ( ! empty( $user_id ) && $signup->activation_key == wp_hash( $user_id ) ) {
     749            if ( ! empty( $user_id ) && $signup->activation_key === bp_get_user_meta( $user_id, 'activation_key', true ) ) {
    750750
    751751                if ( 2 != self::check_user_status( $user_id ) ) {
  • trunk/src/bp-settings/bp-settings-actions.php

    r10498 r10800  
    9595                // Store a hash to enable email validation.
    9696                if ( false === $email_error ) {
    97                     $hash = wp_hash( $_POST['email'] );
     97                    $hash = wp_generate_password( 32, false );
    9898
    9999                    $pending_email = array(
  • trunk/tests/phpunit/testcases/members/functions.php

    r9819 r10800  
    262262
    263263        // Fake an old-style registration
    264         $key = wp_hash( $u_obj->ID );
     264        $key = wp_generate_password( 32, false );
    265265        update_user_meta( $u, 'activation_key', $key );
    266266
     
    296296
    297297        // Fake an old-style registration
    298         $key = wp_hash( $u_obj->ID );
     298        $key = wp_generate_password( 32, false );
    299299        update_user_meta( $u, 'activation_key', $key );
    300300
Note: See TracChangeset for help on using the changeset viewer.