https://bugzilla.wikimedia.org/show_bug.cgi?id=2242
Brion Vibber <br...@wikimedia.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |br...@wikimedia.org
Keywords|need-review |patch
--- Comment #7 from Brion Vibber <br...@wikimedia.org> 2008-12-30 03:45:02 UTC
---
Couple notes:
1) Setting the expiration in hours seems sub-ideal to me, since nearly all
time-based config options are in seconds.
I'd recommend renaming $wgPasswordReminderResetTime to $wgNewPasswordExpiry and
setting it in seconds.
2) The password reset form also uses checkTemporaryPassword() and it looks like
it'll take the 'EXPIRED' return as 'true', indicating that it's ok to do the
reset, thus bypassing the expiry.
As a general security principle against exposing information leaks, as well as
to avoid any other potential call funkiness, it might be best to simply return
false here, considering the expired password to just not match. This would be
the same as if the temporary password had been wiped out, say by another new
password request or a successful reset completion -- these cases would not tell
you that it used to be correct, they'd just consider it invalid.
2) The new password email text should include the expiry time.
3) I'd recommend 7 days rather than 2 as the default; I know I don't get around
to some websites within 48 hours if I get busy doing something else (say, over
the weekend).
4) Patch appears to be adding UTF-8 BOM characters, need to be removed. :)
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
