Changeset 10801

Timestamp:

05/24/2016 02:45:08 PM (10 years ago)

Author:

boonebgorges

Message:

Better hash building for activation keys, password reset keys, and filenames.

There is no need to use user-facing info for these hashes.

Ports [10800] to the 2.5 branch.

Props DJPaul, vortfu.

Location:

branches/2.5

Files:

• . (modified) (1 prop)
• src/bp-core/classes/class-bp-attachment-avatar.php (modified) (1 diff)
• src/bp-core/classes/class-bp-attachment-cover-image.php (modified) (1 diff)
• src/bp-members/bp-members-functions.php (modified) (4 diffs)
• src/bp-members/bp-members-screens.php (modified) (1 diff)
• src/bp-members/classes/class-bp-signup.php (modified) (1 diff)
• src/bp-settings/bp-settings-actions.php (modified) (1 diff)
• tests/phpunit/testcases/members/functions.php (modified) (2 diffs)

branches/2.5/src/bp-core/classes/class-bp-attachment-avatar.php

@@ -293 +293 @@
             }
 
-            $args['dst_file'] = $avatar_folder_dir . '/' . wp_hash( $absolute_path . time() ) . '-bp' . $key_type . '.' . $ext;
+            $filename         = wp_unique_filename( $avatar_folder_dir, uniqid() . "-bp{$key_type}.{$ext}" );
+            $args['dst_file'] = $avatar_folder_dir . '/' . $filename;
 
             $avatar_types[ $key_type ] = parent::crop( $args );

branches/2.5/src/bp-core/classes/class-bp-attachment-cover-image.php

@@ -209 +209 @@
         }
 
-        $info    = pathinfo( $file );
-        $dir     = $info['dirname'];
-        $ext     = strtolower( $info['extension'] );
-        $name    = wp_hash( $file . time() ) . '-bp-cover-image';
-
-        return trailingslashit( $dir ) . "{$name}.{$ext}";
+        $info = pathinfo( $file );
+        $ext  = strtolower( $info['extension'] );
+        $name = wp_unique_filename( $info['dirname'], uniqid() . "-bp-cover-image.$ext" );
+
+        return trailingslashit( $info['dirname'] ) . $name;
     }
 

branches/2.5/src/bp-members/bp-members-functions.php

@@ -1792 +1792 @@
         $user_login     = preg_replace( '/\s+/', '', sanitize_user( $user_login, true ) );
         $user_email     = sanitize_email( $user_email );
-        $activation_key = substr( md5( time() . rand() . $user_email ), 0, 16 );
+        $activation_key = wp_generate_password( 32, false );
 
         /**
@@ -1814 +1814 @@
             }
 
-            $activation_key = wp_hash( $user_id );
             bp_update_user_meta( $user_id, 'activation_key', $activation_key );
         }
@@ -1938 +1937 @@
         $user_id = username_exists( $signup->user_login );
 
-        // Create the user.
+        // Create the user. This should only be necessary if BP_SIGNUPS_SKIP_USER_CREATION is true.
         if ( ! $user_id ) {
             $user_id = wp_create_user( $signup->user_login, $password, $signup->user_email );
 
-        // If a user ID is found, this may be a legacy signup, or one
-        // created locally for backward compatibility. Process it.
-        } elseif ( $key == wp_hash( $user_id ) ) {
+        // Otherwise, update the existing user's status.
+        } elseif ( $key === bp_get_user_meta( $user_id, 'activation_key', true ) || $key === wp_hash( $user_id ) ) {
+
             // Change the user's status so they become active.
             if ( ! $wpdb->query( $wpdb->prepare( "UPDATE {$wpdb->users} SET user_status = 0 WHERE ID = %d", $user_id ) ) ) {
@@ -2104 +2103 @@
         // Rebuild the activation key, if missing.
         if ( empty( $signup->activation_key ) ) {
-            $signup->activation_key = wp_hash( $signup->ID );
+            $signup->activation_key = wp_generate_password( 32, false );
         }
 

branches/2.5/src/bp-members/bp-members-screens.php

@@ -360 +360 @@
         }
 
-        $hashed_key = wp_hash( $key );
-
-        // Check if the signup avatar folder exists. If it does, move the folder to
-        // the BP user avatars directory.
-        if ( file_exists( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key ) ) {
-            @rename( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key, bp_core_avatar_upload_path() . '/avatars/' . $user );
-        }
-
         bp_core_add_message( __( 'Your account is now active!', 'buddypress' ) );
         $bp->activation_complete = true;

branches/2.5/src/bp-members/classes/class-bp-signup.php

@@ -737 +737 @@
             $user_id = username_exists( $signup->user_login );
 
-            if ( ! empty( $user_id ) && $signup->activation_key == wp_hash( $user_id ) ) {
+            if ( ! empty( $user_id ) && $signup->activation_key === bp_get_user_meta( $user_id, 'activation_key', true ) ) {
 
                 if ( 2 != self::check_user_status( $user_id ) ) {

branches/2.5/src/bp-settings/bp-settings-actions.php

@@ -95 +95 @@
                 // Store a hash to enable email validation.
                 if ( false === $email_error ) {
-                    $hash = wp_hash( $_POST['email'] );
+                    $hash = wp_generate_password( 32, false );
 
                     $pending_email = array(

branches/2.5/tests/phpunit/testcases/members/functions.php

@@ -262 +262 @@
 
         // Fake an old-style registration
-        $key = wp_hash( $u_obj->ID );
+        $key = wp_generate_password( 32, false );
         update_user_meta( $u, 'activation_key', $key );
 
@@ -296 +296 @@
 
         // Fake an old-style registration
-        $key = wp_hash( $u_obj->ID );
+        $key = wp_generate_password( 32, false );
         update_user_meta( $u, 'activation_key', $key );