WordPress.org

Make WordPress Core

Ticket #32429: 32429.diff

File 32429.diff, 2.6 KB (added by MikeHansenMe, 6 years ago)

Refresh of the non-cron patch by dllh on #21314

  • src/wp-includes/user.php

     
    22532253
    22542254        $key = preg_replace('/[^a-z0-9]/i', '', $key);
    22552255
     2256        /**
     2257         * Get usermeta that stores a timestamp we check against to make sure
     2258         * the reset request isn't too old.
     2259         */
     2260        $user = get_user_by( 'login', $login );
     2261        $reset_password_timestamp = get_user_meta( $user->ID, 'reset_password_timestamp', true );
     2262
    22562263        if ( empty( $key ) || !is_string( $key ) )
    22572264                return new WP_Error('invalid_key', __('Invalid key'));
    22582265
     
    22682275                $wp_hasher = new PasswordHash( 8, true );
    22692276        }
    22702277
    2271         if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) )
     2278        if ( empty( $reset_password_timestamp ) ) {
     2279                return new WP_Error( 'expired_key', __( 'Invalid key' ) );
     2280        }
     2281
     2282        /**
     2283         * Filter the password reset expiry duration in seconds.
     2284         *
     2285         * @since ???
     2286         *
     2287         * @param int  An integer representing the time in seconds for which a
     2288         *             password reset key should be considered valid.
     2289         */
     2290        $reset_password_expiry_in_seconds = apply_filters( 'reset_password_expiry_in_seconds', 4 * HOUR_IN_SECONDS );
     2291        if ( time() - (int) $reset_password_timestamp > $reset_password_expiry_in_seconds ) {
     2292                return new WP_Error( 'expired_key', 'Invalid key' );
     2293        }
     2294
     2295        if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) {
    22722296                return get_userdata( $row->ID );
     2297        }
    22732298
    22742299        if ( $key === $row->user_activation_key ) {
    22752300                $return = new WP_Error( 'expired_key', __( 'Invalid key' ) );
  • src/wp-login.php

     
    403403        if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) )
    404404                wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') );
    405405
     406        // Store a timestamp so that we can expire password resets.
     407        $user = get_user_by( 'login', $user_login );
     408        update_user_meta( $user->ID, 'reset_password_timestamp', time() );
     409
    406410        return true;
    407411}
    408412
     
    818822        $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
    819823
    820824        if ( !is_wp_error($user) && !$reauth ) {
     825                // Clean up user meta that may have been saved in the case of a password reset request.
     826                delete_user_meta( $user->ID, 'reset_password_timestamp' );
     827
    821828                if ( $interim_login ) {
    822829                        $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
    823830                        $interim_login = 'success';