https://bugzilla.wikimedia.org/show_bug.cgi?id=2242
Brion Vibber <br...@wikimedia.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |br...@wikimedia.org Keywords|need-review |patch --- Comment #7 from Brion Vibber <br...@wikimedia.org> 2008-12-30 03:45:02 UTC --- Couple notes: 1) Setting the expiration in hours seems sub-ideal to me, since nearly all time-based config options are in seconds. I'd recommend renaming $wgPasswordReminderResetTime to $wgNewPasswordExpiry and setting it in seconds. 2) The password reset form also uses checkTemporaryPassword() and it looks like it'll take the 'EXPIRED' return as 'true', indicating that it's ok to do the reset, thus bypassing the expiry. As a general security principle against exposing information leaks, as well as to avoid any other potential call funkiness, it might be best to simply return false here, considering the expired password to just not match. This would be the same as if the temporary password had been wiped out, say by another new password request or a successful reset completion -- these cases would not tell you that it used to be correct, they'd just consider it invalid. 2) The new password email text should include the expiry time. 3) I'd recommend 7 days rather than 2 as the default; I know I don't get around to some websites within 48 hours if I get busy doing something else (say, over the weekend). 4) Patch appears to be adding UTF-8 BOM characters, need to be removed. :) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l