WordPress.org

Make WordPress Core

Ticket #21314: reset-password.patch

File reset-password.patch, 2.6 KB (added by dllh, 7 years ago)

non-cron approach

  • wp-login.php

     
    396396        if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) )
    397397                wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );
    398398
     399        // Store a timestamp so that we can expire password resets.
     400        $user = get_user_by( 'login', $user_login );
     401        update_user_meta( $user->ID, 'reset_password_timestamp', time() );
     402
    399403        return true;
    400404}
    401405
     
    786790        $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
    787791
    788792        if ( !is_wp_error($user) && !$reauth ) {
     793                // Clean up user meta that may have been saved in the case of a password reset request.
     794                delete_user_meta( $user->ID, 'reset_password_timestamp' );
     795
    789796                if ( $interim_login ) {
    790797                        $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
    791798                        $interim_login = 'success';
  • wp-includes/user.php

     
    20252025
    20262026        $key = preg_replace('/[^a-z0-9]/i', '', $key);
    20272027
     2028        /**
     2029         * Get usermeta that stores a timestamp we check against to make sure
     2030         * the reset request isn't too old.
     2031         */
     2032        $user = get_user_by( 'login', $login );
     2033        $reset_password_timestamp = get_user_meta( $user->ID, 'reset_password_timestamp', true );
     2034
    20282035        if ( empty( $key ) || !is_string( $key ) )
    20292036                return new WP_Error('invalid_key', __('Invalid key'));
    20302037
     
    20402047                $wp_hasher = new PasswordHash( 8, true );
    20412048        }
    20422049
    2043         if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) )
     2050        if ( empty( $reset_password_timestamp ) ) {
     2051                return new WP_Error( 'expired_key', __( 'Invalid key' ) );
     2052        }
     2053
     2054        /**
     2055         * Filter the password reset expiry duration in seconds.
     2056         *
     2057         * @since ???
     2058         *
     2059         * @param int  An integer representing the time in seconds for which a
     2060         *             password reset key should be considered valid.
     2061         */
     2062        $reset_password_expiry_in_seconds = apply_filters( 'reset_password_expiry_in_seconds', 4 * HOUR_IN_SECONDS );
     2063        if ( time() - (int) $reset_password_timestamp > $reset_password_expiry_in_seconds ) {
     2064                return new WP_Error( 'expired_key', 'Invalid key' );
     2065        }
     2066
     2067        if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) {
    20442068                return get_userdata( $row->ID );
     2069        }
    20452070
     2071
    20462072        if ( $key === $row->user_activation_key ) {
    20472073                $return = new WP_Error( 'expired_key', __( 'Invalid key' ) );
    20482074                $user_id = $row->ID;