[SRM] wordpress update for lenny

Tue, 25 Aug 2009 04:05:17 -0700 

Hi,

I'd like to fix an annoying bug (#519798) in the wordpress password reset
procedure in lenny.
debdiff attached.

Cheers,
Giuseppe.

diffstat for wordpress_2.5.1-11+lenny1 wordpress_2.5.1-11+lenny2

 debian/patches/017lostpassword.dpatch |   39 ++++++++++++++++++++++++++++++++++
 wordpress-2.5.1/debian/changelog      |    7 ++++++
 wordpress-2.5.1/debian/patches/00list |    1 
 3 files changed, 47 insertions(+)

diff -u wordpress-2.5.1/debian/changelog wordpress-2.5.1/debian/changelog
--- wordpress-2.5.1/debian/changelog
+++ wordpress-2.5.1/debian/changelog
@@ -1,3 +1,10 @@
+wordpress (2.5.1-11+lenny2) stable; urgency=low
+
+  * [1dd14e6] Fixed a bug in the password reset procedure, users are now
+    able to reset their passwords (Closes: #519798)
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it>  Tue, 25 Aug 2009 12:44:20 +0200
+
 wordpress (2.5.1-11+lenny1) stable-security; urgency=high
 
   * [27cfd35] Fixed CVE-2008-6762: Force redirect after an upgrade
diff -u wordpress-2.5.1/debian/patches/00list 
wordpress-2.5.1/debian/patches/00list
--- wordpress-2.5.1/debian/patches/00list
+++ wordpress-2.5.1/debian/patches/00list
@@ -16,0 +17 @@
+017lostpassword.dpatch
only in patch2:
unchanged:
--- wordpress-2.5.1.orig/debian/patches/017lostpassword.dpatch
+++ wordpress-2.5.1/debian/patches/017lostpassword.dpatch
@@ -0,0 +1,39 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 017lostpassword.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixed a bug in password reset procedure, users are now able to reset 
their passwords (Closes: #519798)
+
+...@dpatch@
+diff -urNad wordpress~/wp-includes/pluggable.php 
wordpress/wp-includes/pluggable.php
+--- wordpress~/wp-includes/pluggable.php       2009-08-25 12:13:53.000000000 
+0200
++++ wordpress/wp-includes/pluggable.php        2009-08-25 12:26:50.000000000 
+0200
+@@ -1168,8 +1168,11 @@
+  *
+  * @return string The random password
+  **/
+-function wp_generate_password($length = 12) {
+-      $chars = 
"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz01234567...@#$%^&*()";
++function wp_generate_password($length = 12, $special_chars = true) {
++      $chars = 
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
++      if ( $special_chars )
++              $chars .= '!...@#$%^&*()';
++
+       $password = '';
+       for ( $i = 0; $i < $length; $i++ )
+               $password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
+diff -urNad wordpress~/wp-login.php wordpress/wp-login.php
+--- wordpress~/wp-login.php    2009-08-25 12:20:09.000000000 +0200
++++ wordpress/wp-login.php     2009-08-25 12:27:23.000000000 +0200
+@@ -91,9 +91,9 @@
+       do_action('retrieve_password', $user_login);
+ 
+       $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM 
$wpdb->users WHERE user_login = %s", $user_login));
+-      if ( empty($key) ) {
++      if ( empty($key) || preg_match('/[^a-z0-9]/i',$key) != 0) {
+               // Generate something random for a key...
+-              $key = wp_generate_password();
++              $key = wp_generate_password(20, false);
+               do_action('retrieve_password_key', $user_login, $key);
+               // Now insert the new md5 key into the db
+               $wpdb->query($wpdb->prepare("UPDATE $wpdb->users SET 
user_activation_key = %s WHERE user_login = %s", $key, $user_login));

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to