WordPress.org

Make WordPress Core

Ticket #32428: 32428.2.diff

File 32428.2.diff, 2.5 KB (added by MikeHansenMe, 6 years ago)

add time to hash for expiring passwords

  • src/wp-includes/pluggable.php

     
    16921692 * @param int    $user_id        User ID.
    16931693 * @param string $plaintext_pass Optional. The user's plaintext password. Default empty.
    16941694 */
    1695 function wp_new_user_notification($user_id, $plaintext_pass = '') {
     1695function wp_new_user_notification( $user_id, $plaintext_pass = '' ) {
     1696        global $wpdb, $wp_hasher;
    16961697        $user = get_userdata( $user_id );
    16971698
    16981699        // The blogname option is escaped with esc_html on the way into the database in sanitize_option
    16991700        // we want to reverse this for the plain text arena of emails.
    1700         $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
     1701        $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
    17011702
    1702         $message  = sprintf(__('New user registration on your site %s:'), $blogname) . "\r\n\r\n";
    1703         $message .= sprintf(__('Username: %s'), $user->user_login) . "\r\n\r\n";
    1704         $message .= sprintf(__('E-mail: %s'), $user->user_email) . "\r\n";
     1703        $message  = sprintf( __( 'New user registration on your site %s:' ), $blogname ) . "\r\n\r\n";
     1704        $message .= sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
     1705        $message .= sprintf( __( 'E-mail: %s' ), $user->user_email ) . "\r\n";
    17051706
    1706         @wp_mail(get_option('admin_email'), sprintf(__('[%s] New User Registration'), $blogname), $message);
     1707        @wp_mail( get_option( 'admin_email' ), sprintf( __( '[%s] New User Registration' ), $blogname ), $message );
    17071708
    1708         if ( empty($plaintext_pass) )
     1709        if ( empty( $plaintext_pass ) ) {
    17091710                return;
     1711        }
    17101712
    1711         $message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
    1712         $message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
    1713         $message .= wp_login_url() . "\r\n";
     1713        $key = wp_generate_password( 20, false );
     1714        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     1715        $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) );
     1716        $link = network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' );
    17141717
    1715         wp_mail($user->user_email, sprintf(__('[%s] Your username and password'), $blogname), $message);
     1718        $message  = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n";
     1719        $message .= sprintf( __( 'Set Password: %s' ), $link ) . "\r\n";
    17161720
     1721        wp_mail( $user->user_email, sprintf( __( '[%s] Your username and password' ), $blogname ), $message );
    17171722}
    17181723endif;
    17191724