Ticket #32429: 32429.8.diff
File 32429.8.diff, 5.7 KB (added by , 9 years ago) |
---|
-
src/wp-includes/user.php
function check_password_reset_key($key, 2446 2446 if ( empty( $key ) || !is_string( $key ) ) 2447 2447 return new WP_Error('invalid_key', __('Invalid key')); 2448 2448 2449 2449 if ( empty($login) || !is_string($login) ) 2450 2450 return new WP_Error('invalid_key', __('Invalid key')); 2451 2451 2452 2452 $row = $wpdb->get_row( $wpdb->prepare( "SELECT ID, user_activation_key FROM $wpdb->users WHERE user_login = %s", $login ) ); 2453 2453 if ( ! $row ) 2454 2454 return new WP_Error('invalid_key', __('Invalid key')); 2455 2455 2456 2456 if ( empty( $wp_hasher ) ) { 2457 2457 require_once ABSPATH . WPINC . '/class-phpass.php'; 2458 2458 $wp_hasher = new PasswordHash( 8, true ); 2459 2459 } 2460 2460 2461 if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) 2461 /** 2462 * Filter the expiration time of password reset keys. 2463 * 2464 * @since 4.3.0 2465 * 2466 * @param int $expiration The expiration time in seconds. 2467 */ 2468 $expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS ); 2469 2470 if ( false !== strpos( $row->user_activation_key, ':' ) ) { 2471 list( $pass_request_time, $pass_key ) = explode( ':', $row->user_activation_key, 2 ); 2472 $expiration_time = $pass_request_time + $expiration_duration; 2473 } else { 2474 $pass_key = $row->user_activation_key; 2475 $expiration_time = false; 2476 } 2477 2478 $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key ); 2479 2480 if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) { 2462 2481 return get_userdata( $row->ID ); 2482 } elseif ( $hash_is_correct && $expiration_time ) { 2483 // Key has an expiration time that's passed 2484 return new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) ); 2485 } 2463 2486 2464 if ( $key === $row->user_activation_key) {2465 $return = new WP_Error( 'expired_key', __( ' Invalid key' ) );2487 if ( hash_equals( $row->user_activation_key, $key ) || ( $hash_is_correct && ! $expiration_time ) ) { 2488 $return = new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) ); 2466 2489 $user_id = $row->ID; 2467 2490 2468 2491 /** 2469 2492 * Filter the return value of check_password_reset_key() when an 2470 * old-style key is used (plain-text key was stored in the database).2493 * old-style key is used. 2471 2494 * 2472 * @since 3.7.0 2495 * @since 3.7.0 Previously plain-text keys were stored in the database. 2496 * @since 4.3.0 Previously key hashes were stored without an expiration time. 2473 2497 * 2474 2498 * @param WP_Error $return A WP_Error object denoting an expired key. 2475 2499 * Return a WP_User object to validate the key. 2476 2500 * @param int $user_id The matched user ID. 2477 2501 */ 2478 2502 return apply_filters( 'password_reset_key_expired', $return, $user_id ); 2479 2503 } 2480 2504 2481 2505 return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 2482 2506 } 2483 2507 2484 2508 /** 2485 2509 * Handles resetting the user's password. 2486 2510 * 2487 2511 * @since 2.5.0 -
src/wp-login.php
function retrieve_password() { 351 351 /** 352 352 * Fires when a password reset key is generated. 353 353 * 354 354 * @since 2.5.0 355 355 * 356 356 * @param string $user_login The username for the user. 357 357 * @param string $key The generated password reset key. 358 358 */ 359 359 do_action( 'retrieve_password_key', $user_login, $key ); 360 360 361 361 // Now insert the key, hashed, into the DB. 362 362 if ( empty( $wp_hasher ) ) { 363 363 require_once ABSPATH . WPINC . '/class-phpass.php'; 364 364 $wp_hasher = new PasswordHash( 8, true ); 365 365 } 366 $hashed = $wp_hasher->HashPassword( $key );366 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 367 367 $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) ); 368 368 369 369 $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n"; 370 370 $message .= network_home_url( '/' ) . "\r\n\r\n"; 371 371 $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n"; 372 372 $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n"; 373 373 $message .= __('To reset your password, visit the following address:') . "\r\n\r\n"; 374 374 $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n"; 375 375 376 376 if ( is_multisite() ) 377 377 $blogname = $GLOBALS['current_site']->site_name; 378 378 else 379 379 /* 380 380 * The blogname option is escaped with esc_html on the way into the database 381 381 * in sanitize_option we want to reverse this for the plain text arena of emails. … … case 'lostpassword' : 519 519 case 'retrievepassword' : 520 520 521 521 if ( $http_post ) { 522 522 $errors = retrieve_password(); 523 523 if ( !is_wp_error($errors) ) { 524 524 $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm'; 525 525 wp_safe_redirect( $redirect_to ); 526 526 exit(); 527 527 } 528 528 } 529 529 530 530 if ( isset( $_GET['error'] ) ) { 531 531 if ( 'invalidkey' == $_GET['error'] ) 532 532 $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) ); 533 533 elseif ( 'expiredkey' == $_GET['error'] ) 534 $errors->add( 'expiredkey', __( ' Sorry, that key has expired. Please try again.' ) );534 $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) ); 535 535 } 536 536 537 537 $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; 538 538 /** 539 539 * Filter the URL redirected to after submitting the lostpassword/retrievepassword form. 540 540 * 541 541 * @since 3.0.0 542 542 * 543 543 * @param string $lostpassword_redirect The redirect destination URL. 544 544 */ 545 545 $redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect ); 546 546 547 547 /** 548 548 * Fires before the lost password form. 549 549 *