WordPress.org

Make WordPress Core

Ticket #32429: 32429.4.diff

File 32429.4.diff, 2.2 KB (added by markjaquith, 7 years ago)
  • src/wp-includes/user.php

    diff --git src/wp-includes/user.php src/wp-includes/user.php
    index c8d756f..1fa0f04 100644
    function check_password_reset_key($key, $login) { 
    22832283                $wp_hasher = new PasswordHash( 8, true );
    22842284        }
    22852285
    2286         if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) )
     2286        $expire_time = apply_filters( 'password_reset_expiration', '24 hours' );
     2287
     2288        if ( strpos( $row->user_activation_key, ':' ) !== false ) {
     2289                list( $pass_exp, $pass_key ) = explode( ':', $row->user_activation_key, 2 );
     2290        } else {
     2291                $pass_key = '';
     2292                $pass_exp = 0;
     2293        }
     2294
     2295        if ( time() > strtotime( $expire_time, $pass_exp ) ) {
     2296                return new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) );
     2297        }
     2298
     2299        if ( $wp_hasher->CheckPassword( $key, $pass_key ) ) {
    22872300                return get_userdata( $row->ID );
     2301        }
    22882302
    22892303        if ( $key === $row->user_activation_key ) {
    2290                 $return = new WP_Error( 'expired_key', __( 'Invalid key' ) );
     2304                $return = new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) );
    22912305                $user_id = $row->ID;
    22922306
    22932307                /**
  • src/wp-login.php

    diff --git src/wp-login.php src/wp-login.php
    index 2056852..00a3a4b 100644
    function retrieve_password() { 
    363363                require_once ABSPATH . WPINC . '/class-phpass.php';
    364364                $wp_hasher = new PasswordHash( 8, true );
    365365        }
    366         $hashed = $wp_hasher->HashPassword( $key );
     366        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
    367367        $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
    368368
    369369        $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
    case 'retrievepassword' : 
    531531                if ( 'invalidkey' == $_GET['error'] )
    532532                        $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
    533533                elseif ( 'expiredkey' == $_GET['error'] )
    534                         $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
     534                        $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) );
    535535        }
    536536
    537537        $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';