Description: Harden newbloguser key
 CVE-2017-17091 - Use a properly generated hash for the newbloguser key
 instead of a determinate substring
Author: johnbillion@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/42272/branches/4.7
Applied-Upstream: 4.9.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-12-09
--- a/wp-admin/user-new.php
+++ b/wp-admin/user-new.php
@@ -70,7 +70,7 @@
 			add_existing_user_to_blog( array( 'user_id' => $user_id, 'role' => $_REQUEST[ 'role' ] ) );
 			$redirect = add_query_arg( array( 'update' => 'addnoconfirmation' , 'user_id' => $user_id ), 'user-new.php' );
 		} else {
-			$newuser_key = substr( md5( $user_id ), 0, 5 );
+			$newuser_key = wp_generate_password( 20, false );
 			add_option( 'new_user_' . $newuser_key, array( 'user_id' => $user_id, 'email' => $user_details->user_email, 'role' => $_REQUEST[ 'role' ] ) );
 
 			$roles = get_editable_roles();
