token not verified properly
Hi this is a bit of a security issue. Just verified on a fresh PW 3.0.23 install with the latest FrontendUser.
When I am using the verify user email plugin it lets me type in any random token in the field and choose password/register without actually following the link in the email/copying the token. No errors thrown, just seems like it ignores the token field.
Comments (5)
-
reporter -
repo owner Hi @onoffonoff https://bitbucket.org/pwFoo/frontenduser/commits/05b2c3a6e4af681cf31a75319b6d4dba36677fe9 Is the problem still there? I can't test it at the moment... Could you verify and report back, please?
-
reporter nope that does not fix it. I would recommend my 2nd comment.. lines: -129 +128
-
reporter it will need extra logic, and I have no time to work on it right now unfortinately...
-
repo owner Could you test it and report back? https://bitbucket.org/pwFoo/frontenduser/commits/dc11ae43faade9545d15f2b3986280a75a211757?at=master
- Log in to comment
line 129 seems to break the validation... if 129 is commented and the old 128 uncommented it works again.