Ticket #31039: 31039.3.patch
File 31039.3.patch, 10.9 KB (added by , 8 years ago) |
---|
-
wp-includes/user.php
2234 2234 } 2235 2235 2236 2236 /** 2237 * Handles sending password retrieval email to user. 2238 * 2239 * @since 2.5 2240 * @since 4.3.0 Moved out of wp-login.php and introduced parameter. 2241 * 2242 * @global wpdb $wpdb WordPress database abstraction object. 2243 * @global PasswordHash $wp_hasher Portable PHP password hashing framework. 2244 * 2245 * @param string $user_login Username or email of the user. 2246 * @return bool|WP_Error True: when finish. WP_Error on error. 2247 */ 2248 function retrieve_password( $user_login ) { 2249 global $wpdb, $wp_hasher; 2250 2251 $errors = new WP_Error(); 2252 2253 if ( empty( $user_login ) ) { 2254 $errors->add('empty_username', __( '<strong>ERROR</strong>: Enter a username or e-mail address.' ) ); 2255 } elseif ( strpos( $user_login, '@' ) ) { 2256 $user_data = get_user_by( 'email', trim( $user_login ) ); 2257 if ( empty( $user_data ) ) { 2258 $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: There is no user registered with that email address.' ) ); 2259 } 2260 } else { 2261 $login = trim( $user_login ); 2262 $user_data = get_user_by( 'login', $login ); 2263 } 2264 2265 /** 2266 * Fires before errors are returned from a password reset request. 2267 * 2268 * @since 2.1.0 2269 */ 2270 do_action( 'lostpassword_post' ); 2271 2272 if ( $errors->get_error_code() ) { 2273 return $errors; 2274 } 2275 2276 if ( !$user_data ) { 2277 $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.')); 2278 return $errors; 2279 } 2280 2281 // Redefining user_login ensures we return the right case in the email. 2282 $user_login = $user_data->user_login; 2283 $user_email = $user_data->user_email; 2284 2285 /** 2286 * Fires before a new password is retrieved. 2287 * 2288 * @since 1.5.0 2289 * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead. 2290 * 2291 * @param string $user_login The user login name. 2292 */ 2293 do_action( 'retreive_password', $user_login ); 2294 2295 /** 2296 * Fires before a new password is retrieved. 2297 * 2298 * @since 1.5.1 2299 * 2300 * @param string $user_login The user login name. 2301 */ 2302 do_action( 'retrieve_password', $user_login ); 2303 2304 /** 2305 * Filter whether to allow a password to be reset. 2306 * 2307 * @since 2.7.0 2308 * 2309 * @param bool true Whether to allow the password to be reset. Default true. 2310 * @param int $user_data->ID The ID of the user attempting to reset a password. 2311 */ 2312 $allow = apply_filters( 'allow_password_reset', true, $user_data->ID ); 2313 2314 if ( ! $allow ) { 2315 return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) ); 2316 } elseif ( is_wp_error( $allow ) ) { 2317 return $allow; 2318 } 2319 2320 // Generate something random for a password reset key. 2321 $key = wp_generate_password( 20, false ); 2322 2323 /** 2324 * Fires when a password reset key is generated. 2325 * 2326 * @since 2.5.0 2327 * 2328 * @param string $user_login The username for the user. 2329 * @param string $key The generated password reset key. 2330 */ 2331 do_action( 'retrieve_password_key', $user_login, $key ); 2332 2333 // Now insert the key, hashed, into the DB. 2334 if ( empty( $wp_hasher ) ) { 2335 require_once ABSPATH . WPINC . '/class-phpass.php'; 2336 $wp_hasher = new PasswordHash( 8, true ); 2337 } 2338 $hashed = $wp_hasher->HashPassword( $key ); 2339 $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) ); 2340 2341 $message = __( 'Someone requested that the password be reset for the following account:' ) . "\r\n\r\n"; 2342 $message .= network_home_url( '/' ) . "\r\n\r\n"; 2343 $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n"; 2344 $message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n"; 2345 $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n"; 2346 $message .= '<' . network_site_url ("wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . ">\r\n"; 2347 2348 if ( is_multisite() ) { 2349 $blogname = $GLOBALS['current_site']->site_name; 2350 } else { 2351 /* 2352 * The blogname option is escaped with esc_html on the way into the database 2353 * in sanitize_option we want to reverse this for the plain text arena of emails. 2354 */ 2355 $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 2356 } 2357 2358 $title = sprintf( __( '[%s] Password Reset' ), $blogname ); 2359 2360 /** 2361 * Filter the subject of the password reset email. 2362 * 2363 * @since 2.8.0 2364 * 2365 * @param string $title Default email title. 2366 */ 2367 $title = apply_filters( 'retrieve_password_title', $title ); 2368 2369 /** 2370 * Filter the message body of the password reset mail. 2371 * 2372 * @since 2.8.0 2373 * @since 4.1.0 Added `$user_login` and `$user_data` parameters. 2374 * 2375 * @param string $message Default mail message. 2376 * @param string $key The activation key. 2377 * @param string $user_login The username for the user. 2378 * @param WP_User $user_data WP_User object. 2379 */ 2380 $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data ); 2381 2382 if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) { 2383 wp_die( __( 'The e-mail could not be sent.' ) . "<br />\n" . __( 'Possible reason: your host may have disabled the mail() function.' ) ); 2384 } 2385 2386 return true; 2387 } 2388 2389 /** 2237 2390 * Retrieves a user row based on password reset key and login 2238 2391 * 2239 2392 * A key is considered 'expired' if it exactly matches the value of the -
wp-login.php
261 261 <?php 262 262 } 263 263 264 /**265 * Handles sending password retrieval email to user.266 *267 * @global wpdb $wpdb WordPress database abstraction object.268 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.269 *270 * @return bool|WP_Error True: when finish. WP_Error on error271 */272 function retrieve_password() {273 global $wpdb, $wp_hasher;274 275 $errors = new WP_Error();276 277 if ( empty( $_POST['user_login'] ) ) {278 $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));279 } elseif ( strpos( $_POST['user_login'], '@' ) ) {280 $user_data = get_user_by( 'email', trim( $_POST['user_login'] ) );281 if ( empty( $user_data ) )282 $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));283 } else {284 $login = trim($_POST['user_login']);285 $user_data = get_user_by('login', $login);286 }287 288 /**289 * Fires before errors are returned from a password reset request.290 *291 * @since 2.1.0292 */293 do_action( 'lostpassword_post' );294 295 if ( $errors->get_error_code() )296 return $errors;297 298 if ( !$user_data ) {299 $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));300 return $errors;301 }302 303 // Redefining user_login ensures we return the right case in the email.304 $user_login = $user_data->user_login;305 $user_email = $user_data->user_email;306 307 /**308 * Fires before a new password is retrieved.309 *310 * @since 1.5.0311 * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.312 *313 * @param string $user_login The user login name.314 */315 do_action( 'retreive_password', $user_login );316 317 /**318 * Fires before a new password is retrieved.319 *320 * @since 1.5.1321 *322 * @param string $user_login The user login name.323 */324 do_action( 'retrieve_password', $user_login );325 326 /**327 * Filter whether to allow a password to be reset.328 *329 * @since 2.7.0330 *331 * @param bool true Whether to allow the password to be reset. Default true.332 * @param int $user_data->ID The ID of the user attempting to reset a password.333 */334 $allow = apply_filters( 'allow_password_reset', true, $user_data->ID );335 336 if ( ! $allow ) {337 return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') );338 } elseif ( is_wp_error( $allow ) ) {339 return $allow;340 }341 342 // Generate something random for a password reset key.343 $key = wp_generate_password( 20, false );344 345 /**346 * Fires when a password reset key is generated.347 *348 * @since 2.5.0349 *350 * @param string $user_login The username for the user.351 * @param string $key The generated password reset key.352 */353 do_action( 'retrieve_password_key', $user_login, $key );354 355 // Now insert the key, hashed, into the DB.356 if ( empty( $wp_hasher ) ) {357 require_once ABSPATH . WPINC . '/class-phpass.php';358 $wp_hasher = new PasswordHash( 8, true );359 }360 $hashed = $wp_hasher->HashPassword( $key );361 $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );362 363 $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";364 $message .= network_home_url( '/' ) . "\r\n\r\n";365 $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";366 $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";367 $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";368 $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";369 370 if ( is_multisite() )371 $blogname = $GLOBALS['current_site']->site_name;372 else373 /*374 * The blogname option is escaped with esc_html on the way into the database375 * in sanitize_option we want to reverse this for the plain text arena of emails.376 */377 $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);378 379 $title = sprintf( __('[%s] Password Reset'), $blogname );380 381 /**382 * Filter the subject of the password reset email.383 *384 * @since 2.8.0385 *386 * @param string $title Default email title.387 */388 $title = apply_filters( 'retrieve_password_title', $title );389 390 /**391 * Filter the message body of the password reset mail.392 *393 * @since 2.8.0394 * @since 4.1.0 Added `$user_login` and `$user_data` parameters.395 *396 * @param string $message Default mail message.397 * @param string $key The activation key.398 * @param string $user_login The username for the user.399 * @param WP_User $user_data WP_User object.400 */401 $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data );402 403 if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) )404 wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );405 406 return true;407 }408 409 264 // 410 265 // Main 411 266 // … … 512 367 case 'lostpassword' : 513 368 case 'retrievepassword' : 514 369 515 if ( $http_post ) {516 $errors = retrieve_password( );370 if ( $http_post && isset( $_POST['user_login'] ) ) { 371 $errors = retrieve_password( $_POST['user_login'] ); 517 372 if ( !is_wp_error($errors) ) { 518 373 $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm'; 519 374 wp_safe_redirect( $redirect_to );