Skip to:
Content

BuddyPress.org

Opened 16 months ago

Last modified 11 months ago

#7914 new enhancement

Possibilities of duplicate activation_key.

Reported by: singhleo Owned by:
Milestone: Awaiting Contributions Priority: normal
Severity: normal Version: 3.0.0
Component: Registration Keywords:
Cc:

Description

In buddypress signup process we are generating activation_key using wp_generate_password function without checking previous generated keys existence in database.

I know that string generated using wp_generate_password have very very less chance generating matching key. but still that is possible I think.

Issue can be caused having if signup table have duplicate activation_key are.

  1. We only send user activation email appending in activation key in activation URL via email. Because of that activation key can activate another user account instead of one who is performing it activation.

Some Solutions.

  1. By adding relation with signup_id or user email on activation link. and validation the activation_key in relation with user email or signup_id.
  2. Or Generating a unique activation_key by checking on db. (can be a heavy queries if signup has alot of data)
  3. Add Prefix of signup_id on activation_key generated by wp_generate_password(). activation_key field allow us to have 50 chars and wp_generate_password is generating 32 char length key, So I think it will be fine if we add prefix of signup_id to make it unique.

File bp-members-functions.php line no 1697.

Thanks,
Sorry for my english :).

Change History (5)

This ticket was mentioned in Slack in #buddypress by codeart. View the logs.


16 months ago

#2 @singhleo
16 months ago

  • Priority changed from omg pizza to normal

#3 @DJPaul
14 months ago

  • Milestone changed from Awaiting Review to Under Consideration

See also #7938

#4 @DJPaul
14 months ago

Hi @singhleo

Yep, we should do something here. Ideally with a solution that means existing activation keys (on old sites) still work, so your idea 3 is good but that would break existing sites with pending user accounts. I think your idea 1 is probably the way to start investigating the problem.

For anyone looking at this, I think the code is in BP_Signup->get().

#5 @DJPaul
11 months ago

  • Milestone changed from Under Consideration to Awaiting Contributions
Note: See TracTickets for help on using tickets.