Ticket #21314: reset-password.patch
File reset-password.patch, 2.6 KB (added by , 10 years ago) |
---|
-
wp-login.php
396 396 if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) 397 397 wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') ); 398 398 399 // Store a timestamp so that we can expire password resets. 400 $user = get_user_by( 'login', $user_login ); 401 update_user_meta( $user->ID, 'reset_password_timestamp', time() ); 402 399 403 return true; 400 404 } 401 405 … … 786 790 $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user ); 787 791 788 792 if ( !is_wp_error($user) && !$reauth ) { 793 // Clean up user meta that may have been saved in the case of a password reset request. 794 delete_user_meta( $user->ID, 'reset_password_timestamp' ); 795 789 796 if ( $interim_login ) { 790 797 $message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; 791 798 $interim_login = 'success'; -
wp-includes/user.php
2025 2025 2026 2026 $key = preg_replace('/[^a-z0-9]/i', '', $key); 2027 2027 2028 /** 2029 * Get usermeta that stores a timestamp we check against to make sure 2030 * the reset request isn't too old. 2031 */ 2032 $user = get_user_by( 'login', $login ); 2033 $reset_password_timestamp = get_user_meta( $user->ID, 'reset_password_timestamp', true ); 2034 2028 2035 if ( empty( $key ) || !is_string( $key ) ) 2029 2036 return new WP_Error('invalid_key', __('Invalid key')); 2030 2037 … … 2040 2047 $wp_hasher = new PasswordHash( 8, true ); 2041 2048 } 2042 2049 2043 if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) 2050 if ( empty( $reset_password_timestamp ) ) { 2051 return new WP_Error( 'expired_key', __( 'Invalid key' ) ); 2052 } 2053 2054 /** 2055 * Filter the password reset expiry duration in seconds. 2056 * 2057 * @since ??? 2058 * 2059 * @param int An integer representing the time in seconds for which a 2060 * password reset key should be considered valid. 2061 */ 2062 $reset_password_expiry_in_seconds = apply_filters( 'reset_password_expiry_in_seconds', 4 * HOUR_IN_SECONDS ); 2063 if ( time() - (int) $reset_password_timestamp > $reset_password_expiry_in_seconds ) { 2064 return new WP_Error( 'expired_key', 'Invalid key' ); 2065 } 2066 2067 if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) { 2044 2068 return get_userdata( $row->ID ); 2069 } 2045 2070 2071 2046 2072 if ( $key === $row->user_activation_key ) { 2047 2073 $return = new WP_Error( 'expired_key', __( 'Invalid key' ) ); 2048 2074 $user_id = $row->ID;