WordPress.org

Make WordPress Core

Ticket #32429: 32429.2.diff

File 32429.2.diff, 3.0 KB (added by voldemortensen, 7 years ago)
  • src/wp-includes/user.php

     
    22682268                $wp_hasher = new PasswordHash( 8, true );
    22692269        }
    22702270
    2271         if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) )
     2271        list( $pass_key, $pass_exp ) = explode( ':', $row->user_activation_key );
     2272
     2273        $expire_time = apply_filters( 'time_to_expire_password_keys', '24 hours' );     
     2274
     2275        if( time() > strtotime( $expire_time, $pass_exp ) )
     2276                return new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) );
     2277
     2278        if ( $wp_hasher->CheckPassword( $key, $pass_key ) )
    22722279                return get_userdata( $row->ID );
    22732280
    22742281        if ( $key === $row->user_activation_key ) {
  • src/wp-login.php

     
    357357                require_once ABSPATH . WPINC . '/class-phpass.php';
    358358                $wp_hasher = new PasswordHash( 8, true );
    359359        }
    360         $hashed = $wp_hasher->HashPassword( $key );
     360        $time = time();
     361        $hashed = $wp_hasher->HashPassword( $key ) . ':' . $time;
    361362        $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
    362363
    363364        $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
     
    365366        $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
    366367        $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
    367368        $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
    368         $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
     369        $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key:$time&login=" . rawurlencode($user_login), 'login') . ">\r\n";
    369370
    370371        if ( is_multisite() )
    371372                $blogname = $GLOBALS['current_site']->site_name;
     
    525526                if ( 'invalidkey' == $_GET['error'] )
    526527                        $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
    527528                elseif ( 'expiredkey' == $_GET['error'] )
    528                         $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
     529                        $errors->add( 'expiredkey', __( 'Sorry, your password reset link has expired. Please request a new link below.' ) );
     530               
    529531        }
    530532
    531533        $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
     
    588590        list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
    589591        $rp_cookie = 'wp-resetpass-' . COOKIEHASH;
    590592        if ( isset( $_GET['key'] ) ) {
    591                 $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
     593                list( $key, $exp ) = explode( ':', wp_unslash( $_GET['key'] ) );
     594                $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), $key );
    592595                setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
    593596                wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
    594597                exit;