Opened 6 years ago
Last modified 6 years ago
#7914 new enhancement
Possibilities of duplicate activation_key.
Reported by: | singhleo | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Contributions | Priority: | normal |
Severity: | normal | Version: | 3.0.0 |
Component: | Registration | Keywords: | |
Cc: |
Description
In buddypress signup process we are generating activation_key using wp_generate_password
function without checking previous generated keys existence in database.
I know that string generated using wp_generate_password have very very less chance generating matching key. but still that is possible I think.
Issue can be caused having if signup table have duplicate activation_key are.
- We only send user activation email appending in activation key in activation URL via email. Because of that activation key can activate another user account instead of one who is performing it activation.
Some Solutions.
- By adding relation with signup_id or user email on activation link. and validation the activation_key in relation with user email or signup_id.
- Or Generating a unique activation_key by checking on db. (can be a heavy queries if signup has alot of data)
- Add Prefix of signup_id on activation_key generated by wp_generate_password(). activation_key field allow us to have 50 chars and wp_generate_password is generating 32 char length key, So I think it will be fine if we add prefix of signup_id to make it unique.
File bp-members-functions.php line no 1697.
Thanks,
Sorry for my english :).
Change History (5)
This ticket was mentioned in Slack in #buddypress by codeart. View the logs.
6 years ago
#4
@
6 years ago
Hi @singhleo
Yep, we should do something here. Ideally with a solution that means existing activation keys (on old sites) still work, so your idea 3 is good but that would break existing sites with pending user accounts. I think your idea 1 is probably the way to start investigating the problem.
For anyone looking at this, I think the code is in BP_Signup->get()
.
See also #7938