Ticket #32429: 32429.diff
File 32429.diff, 2.6 KB (added by , 6 years ago) |
---|
-
src/wp-includes/user.php
2253 2253 2254 2254 $key = preg_replace('/[^a-z0-9]/i', '', $key); 2255 2255 2256 /** 2257 * Get usermeta that stores a timestamp we check against to make sure 2258 * the reset request isn't too old. 2259 */ 2260 $user = get_user_by( 'login', $login ); 2261 $reset_password_timestamp = get_user_meta( $user->ID, 'reset_password_timestamp', true ); 2262 2256 2263 if ( empty( $key ) || !is_string( $key ) ) 2257 2264 return new WP_Error('invalid_key', __('Invalid key')); 2258 2265 … … 2268 2275 $wp_hasher = new PasswordHash( 8, true ); 2269 2276 } 2270 2277 2271 if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) 2278 if ( empty( $reset_password_timestamp ) ) { 2279 return new WP_Error( 'expired_key', __( 'Invalid key' ) ); 2280 } 2281 2282 /** 2283 * Filter the password reset expiry duration in seconds. 2284 * 2285 * @since ??? 2286 * 2287 * @param int An integer representing the time in seconds for which a 2288 * password reset key should be considered valid. 2289 */ 2290 $reset_password_expiry_in_seconds = apply_filters( 'reset_password_expiry_in_seconds', 4 * HOUR_IN_SECONDS ); 2291 if ( time() - (int) $reset_password_timestamp > $reset_password_expiry_in_seconds ) { 2292 return new WP_Error( 'expired_key', 'Invalid key' ); 2293 } 2294 2295 if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) ) { 2272 2296 return get_userdata( $row->ID ); 2297 } 2273 2298 2274 2299 if ( $key === $row->user_activation_key ) { 2275 2300 $return = new WP_Error( 'expired_key', __( 'Invalid key' ) ); -
src/wp-login.php
403 403 if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) 404 404 wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') ); 405 405 406 // Store a timestamp so that we can expire password resets. 407 $user = get_user_by( 'login', $user_login ); 408 update_user_meta( $user->ID, 'reset_password_timestamp', time() ); 409 406 410 return true; 407 411 } 408 412 … … 818 822 $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user ); 819 823 820 824 if ( !is_wp_error($user) && !$reauth ) { 825 // Clean up user meta that may have been saved in the case of a password reset request. 826 delete_user_meta( $user->ID, 'reset_password_timestamp' ); 827 821 828 if ( $interim_login ) { 822 829 $message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; 823 830 $interim_login = 'success';