Ticket #2870: wp-login.php.diff

wp-login.php

@@ -51 +51 @@
         window.onload = focusit;
         </script>
         <style type="text/css">
-        #user_login, #email, #submit {
+        #user_login, #new_pass, #email, #submit {
                 font-size: 1.7em;
         }
         </style>
@@ -59 +59 @@
 <body>
 <div id="login">
 <h1><a href="http://wordpress.org/">WordPress</a></h1>
-<p><?php _e('Please enter your information here. We will send you a new password.') ?></p>
+<p><?php _e('Please enter your information here. We will send you a link to activate your new password.') ?></p>
 <?php
 if ($error)
         echo "<div id='login_error'>$error</div>";
@@ -70 +70 @@
 <input type="hidden" name="action" value="retrievepassword" />
 <label><?php _e('Username:') ?><br />
 <input type="text" name="user_login" id="user_login" value="" size="20" tabindex="1" /></label></p>
+<p><label><?php _e('New Password:') ?><br />
+<input type="password" name="new_pass" id="new_pass" value="" size="20" tabindex="2" /></label><br />
+</p>
 <p><label><?php _e('E-mail:') ?><br />
-<input type="text" name="email" id="email" value="" size="25" tabindex="2" /></label><br />
+<input type="text" name="email" id="email" value="" size="25" tabindex="3" /></label><br />
 </p>
-<p class="submit"><input type="submit" name="submit" id="submit" value="<?php _e('Retrieve Password'); ?> &raquo;" tabindex="3" /></p>
+<p class="submit"><input type="submit" name="submit" id="submit" value="<?php _e('Retrieve Password'); ?> &raquo;" tabindex="4" /></p>
 </form>
 <ul>
         <li><a href="<?php bloginfo('home'); ?>/" title="<?php _e('Are you lost?') ?>">&laquo; <?php _e('Back to blog') ?></a></li>
@@ -89 +92 @@
 break;
 
 case 'retrievepassword':
+    $new_pass = $_POST['new_pass'];
         $user_data = get_userdatabylogin($_POST['user_login']);
         // redefining user_login ensures we return the right case in the email
         $user_login = $user_data->user_login;
@@ -107 +111 @@
         $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n";
         $message .= get_option('siteurl') . "\r\n\r\n";
         $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
-        $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
-        $message .= get_settings('siteurl') . "/wp-login.php?action=resetpass&key=$key\r\n";
+        $message .= __('To set your new password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
+        $message .= get_settings('siteurl') . "/wp-login.php?action=resetpass&new_pass=$new_pass&key=$key\r\n";
 
         $m = wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_settings('blogname')), $message);
 
@@ -117 +121 @@
          echo  __('Possible reason: your host may have disabled the mail() function...') . "</p>";
                 die();
         } else {
-                echo '<p>' .  sprintf(__("The e-mail was sent successfully to %s's e-mail address."), $user_login) . '<br />';
-                echo  "<a href='wp-login.php' title='" . __('Check your e-mail first, of course') . "'>" . __('Click here to login!') . '</a></p>';
+                echo '<p>' .  sprintf(__("The e-mail was sent successfully to %s's e-mail address to active new password."), $user_login) . '<br />';
                 die();
         }
 
@@ -135 +138 @@
                 die( __('Sorry, that key does not appear to be valid.') );
 
         do_action('password_reset');
-
-        $new_pass = substr( md5( uniqid( microtime() ) ), 0, 7);
+        
+        $new_pass = stripslashes($_GET['new_pass']);
         $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$new_pass'), user_activation_key = '' WHERE user_login = '$user->user_login'");
         wp_cache_delete($user->ID, 'users');
         wp_cache_delete($user->user_login, 'userlogins');       
-        $message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
-        $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
-        $message .= get_settings('siteurl') . "/wp-login.php\r\n";
-
-        $m = wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_settings('blogname')), $message);
-
-        if ($m == false) {
-                echo '<p>' . __('The e-mail could not be sent.') . "<br />\n";
-                echo  __('Possible reason: your host may have disabled the mail() function...') . '</p>';
-                die();
-        } else {
-                echo '<p>' .  sprintf(__('Your new password is in the mail.'), $user_login) . '<br />';
-        echo  "<a href='wp-login.php' title='" . __('Check your e-mail first, of course') . "'>" . __('Click here to login!') . '</a></p>';
+        
+                echo '<p>' .  sprintf(__('Your new password is %s'), $new_pass) . '<br />';
+        echo  "<a href='wp-login.php' title='Login'>" . __('Click here to login!') . '</a></p>';
                 // send a copy of password change notification to the admin
                 $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
                 wp_mail(get_settings('admin_email'), sprintf(__('[%s] Password Lost/Change'), get_settings('blogname')), $message);
                 die();
-        }
+        
 break;
 
 case 'login' :