If I can apply the patches on that isolated node it'll take me probably a week, considering all edge cases and the weirdness of the monastery. ¹

If I have to wait for you guys to act, it'll take a month at least.

Sorry, no!

Maybe I'll find time next year to locally set up the old download version of the Everything engine and can develop it locally on my box.

Provided Everything::MAIL.pm is the same. Then you'll get a full node in one go, without patch/dev history.

Or maybe etj will do better and faster.

On another note:

I've reported a serious security issue in 2019 and provided code to patch Everything.pm.

No matter how you patch it - I don't really care anymore if disabled or optional - please patch it.

Updates

¹) The necessity to document and test it included.

There is also injection detection logic to report if someone tried to manipulate the parameters.

It's also limiting the time window and reset attempts to a fixed number per interval to block DNS and brute force attacks.

We are talking about hundreds of LOC.

If I have to wait for you guys to act, it'll take a month at least

That's the pace at which things move around here. If you want to be involved, you probably ought to get used to it. That being said, we could maybe schedule some time — like an hour per week, or whatever — when we can coordinate, chat in real time, and so on. That should make things go quicker.

Provided Everything::MAIL.pm is the same. Then you'll get a full node in one go, without patch/dev history.

That would be great! For sending email, we use this function, node2mail, which is defined in Everything/MAIL.pm. It's dead simple. I'm not sure if EE has functionality to receive email. Will that be needed?

I've reported a serious security issue in 2019 and provided code to patch Everything.pm.

Please give me a link to the patch and discussion. (Note: it will probably take Corion to make such a change.)

Today's latest and greatest software contains tomorrow's zero day exploits.

The only efficient way I can see developing it is to build my private Dev environment around the code of What's my password?

You'll get a monolithic block of code and since I can't debug PM you'll have to take over maintenance. (Do code nodes have a size limit?)

I'll think about it and will come back to you next year after I'm back from holidays.

In the meantime please have a plan how to migrate to hashed keywords afterwards, otherwise it's all in vain.

> Please give me a link to the patch and discussion.

See Re^7: Ideas for "fixing" PerlMonks 1.0 Point number 3 links to the patch.

The full discussion is in the thread

> I'm not sure if EE has functionality to receive email. Will that be needed?

No, only sending an email with a an encoded link to start the password reset.

The mail template in Password Mail doesn't look like HTML emails are supported tho, which means we need to rely on mail clients making links in plaintext clickable by heuristics.

Cheers Rolf
_{(addicted to the Perl Programming Language :)
see Wikisyntax for the Monastery}