WordPress.org

Make WordPress Core

Ticket #32429: 32429.3.diff

File 32429.3.diff, 1.9 KB (added by voldemortensen, 7 years ago)
  • src/wp-includes/user.php

     
    22672267                $wp_hasher = new PasswordHash( 8, true );
    22682268        }
    22692269
    2270         if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) )
     2270        list( $pass_key, $pass_exp ) = explode( ':', $row->user_activation_key );
     2271
     2272        $expire_time = apply_filters( 'password_reset_expiration', '24 hours' );       
     2273
     2274        if( time() > strtotime( $expire_time, $pass_exp ) )
     2275                return new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) );
     2276
     2277        if ( $wp_hasher->CheckPassword( $key, $pass_key ) )
    22712278                return get_userdata( $row->ID );
    22722279
    22732280        if ( $key === $row->user_activation_key ) {
  • src/wp-login.php

     
    357357                require_once ABSPATH . WPINC . '/class-phpass.php';
    358358                $wp_hasher = new PasswordHash( 8, true );
    359359        }
    360         $hashed = $wp_hasher->HashPassword( $key );
     360        $hashed = $wp_hasher->HashPassword( $key ) . ':' . time();
    361361        $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
    362362
    363363        $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
     
    525525                if ( 'invalidkey' == $_GET['error'] )
    526526                        $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
    527527                elseif ( 'expiredkey' == $_GET['error'] )
    528                         $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
     528                        $errors->add( 'expiredkey', __( 'Sorry, your password reset link has expired. Please request a new link below.' ) );
    529529        }
    530530
    531531        $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';