WordPress.org

Make WordPress Core

Ticket #38474: 38474.3.patch

File 38474.3.patch, 11.5 KB (added by bor0, 23 months ago)

Add timestamp expire check

  • wp-activate.php

     
    8181                            <label for="key"><?php _e('Activation Key:') ?></label>
    8282                            <br /><input type="text" name="key" id="key" value="" size="50" />
    8383                        </p>
     84                        <p>
     85                            <label for="key"><?php _e( 'Signup ID:' ) ?></label>
     86                            <br /><input type="number" name="signup_id" id="signup_id" value="" size="50" />
     87                        </p>
    8488                        <p class="submit">
    8589                            <input id="submit" type="submit" name="Submit" class="submit" value="<?php esc_attr_e('Activate') ?>" />
    8690                        </p>
     
    8892
    8993        <?php } else {
    9094
    91                 $key = !empty($_GET['key']) ? $_GET['key'] : $_POST['key'];
    92                 $result = wpmu_activate_signup( $key );
     95                $key = ! empty( $_GET['key'] ) ? $_GET['key'] : $_POST['key'];
     96                $signup_id = ! empty( $_GET['signup_id'] ) ? $_GET['signup_id'] : $_POST['signup_id'];
     97                $result = wpmu_activate_signup( $key, $signup_id );
    9398                if ( is_wp_error($result) ) {
    9499                        if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) {
    95100                                $signup = $result->get_error_data();
  • wp-admin/user-new.php

     
    158158                        }
    159159                        wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );
    160160                        if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
    161                                 $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
    162                                 $new_user = wpmu_activate_signup( $key );
     161                                $row = $wpdb->get_row( $wpdb->prepare( "SELECT activation_key, signup_id FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
     162                                $new_user = wpmu_activate_signup( $row['activation_key'], $row['signup_id'] );
    163163                                if ( is_wp_error( $new_user ) ) {
    164164                                        $redirect = add_query_arg( array( 'update' => 'addnoconfirmation' ), 'user-new.php' );
    165165                                } elseif ( ! is_user_member_of_blog( $new_user['user_id'] ) ) {
  • wp-includes/ms-default-filters.php

     
    2626add_action( 'wpmu_new_user', 'newuser_notify_siteadmin' );
    2727add_action( 'wpmu_activate_user', 'add_new_user_to_blog', 10, 3 );
    2828add_action( 'wpmu_activate_user', 'wpmu_welcome_user_notification', 10, 3 );
    29 add_action( 'after_signup_user', 'wpmu_signup_user_notification', 10, 4 );
     29add_action( 'after_signup_user', 'wpmu_signup_user_notification', 10, 5 );
    3030add_action( 'network_site_new_created_user',   'wp_send_new_user_notifications' );
    3131add_action( 'network_site_users_created_user', 'wp_send_new_user_notifications' );
    3232add_action( 'network_user_new_created_user',   'wp_send_new_user_notifications' );
     
    4040add_action( 'wpmu_new_blog', 'wpmu_log_new_registrations', 10, 2 );
    4141add_action( 'wpmu_new_blog', 'newblog_notify_siteadmin', 10, 2 );
    4242add_action( 'wpmu_activate_blog', 'wpmu_welcome_notification', 10, 5 );
    43 add_action( 'after_signup_site', 'wpmu_signup_blog_notification', 10, 7 );
     43add_action( 'after_signup_site', 'wpmu_signup_blog_notification', 10, 8 );
    4444
    4545// Register Nonce
    4646add_action( 'signup_hidden_fields', 'signup_nonce_fields' );
  • wp-includes/ms-functions.php

     
    704704 * @param array  $meta       Optional. Signup meta data. By default, contains the requested privacy setting and lang_id.
    705705 */
    706706function wpmu_signup_blog( $domain, $path, $title, $user, $user_email, $meta = array() )  {
    707         global $wpdb;
     707        global $wpdb, $wp_hasher;
    708708
    709709        $key = substr( md5( time() . wp_rand() . $domain ), 0, 16 );
    710710
     711        if ( empty( $wp_hasher ) ) {
     712                $wp_hasher = new PasswordHash( 8, true );
     713        }
     714
     715        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     716
    711717        /**
    712718         * Filters the metadata for a site signup.
    713719         *
     
    722728         * @param string $user       The user's requested login name.
    723729         * @param string $user_email The user's email address.
    724730         * @param string $key        The user's activation key.
     731         * @param string $hashed     The user's hashed activation key.
    725732         */
    726         $meta = apply_filters( 'signup_site_meta', $meta, $domain, $path, $title, $user, $user_email, $key );
     733        $meta = apply_filters( 'signup_site_meta', $meta, $domain, $path, $title, $user, $user_email, $key, $hashed );
    727734
    728735        $wpdb->insert( $wpdb->signups, array(
    729736                'domain' => $domain,
     
    732739                'user_login' => $user,
    733740                'user_email' => $user_email,
    734741                'registered' => current_time('mysql', true),
    735                 'activation_key' => $key,
     742                'activation_key' => $hashed,
    736743                'meta' => serialize( $meta )
    737744        ) );
    738745
     
    748755         * @param string $user_email The user's email address.
    749756         * @param string $key        The user's activation key.
    750757         * @param array  $meta       Signup meta data. By default, contains the requested privacy setting and lang_id.
     758         * @param int    $signup_id  Signup ID.
     759         * @param string $hashed     The user's hashed activation key.
    751760         */
    752         do_action( 'after_signup_site', $domain, $path, $title, $user, $user_email, $key, $meta );
     761        do_action( 'after_signup_site', $domain, $path, $title, $user, $user_email, $key, $meta, $wpdb->insert_id, $hashed );
    753762}
    754763
    755764/**
     
    767776 * @param array  $meta       Optional. Signup meta data. Default empty array.
    768777 */
    769778function wpmu_signup_user( $user, $user_email, $meta = array() ) {
    770         global $wpdb;
     779        global $wpdb, $wp_hasher;
    771780
    772781        // Format data
    773782        $user = preg_replace( '/\s+/', '', sanitize_user( $user, true ) );
     
    774783        $user_email = sanitize_email( $user_email );
    775784        $key = substr( md5( time() . wp_rand() . $user_email ), 0, 16 );
    776785
     786        if ( empty( $wp_hasher ) ) {
     787                $wp_hasher = new PasswordHash( 8, true );
     788        }
     789
     790        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     791
    777792        /**
    778793         * Filters the metadata for a user signup.
    779794         *
     
    785800         * @param string $user       The user's requested login name.
    786801         * @param string $user_email The user's email address.
    787802         * @param string $key        The user's activation key.
     803         * @param string $hashed     The user's hashed activation key.
    788804         */
    789         $meta = apply_filters( 'signup_user_meta', $meta, $user, $user_email, $key );
     805        $meta = apply_filters( 'signup_user_meta', $meta, $user, $user_email, $key, $hashed );
    790806
    791807        $wpdb->insert( $wpdb->signups, array(
    792808                'domain' => '',
     
    795811                'user_login' => $user,
    796812                'user_email' => $user_email,
    797813                'registered' => current_time('mysql', true),
    798                 'activation_key' => $key,
     814                'activation_key' => $hashed,
    799815                'meta' => serialize( $meta )
    800816        ) );
    801817
     
    808824         * @param string $user_email The user's email address.
    809825         * @param string $key        The user's activation key.
    810826         * @param array  $meta       Signup meta data. Default empty array.
     827         * @param int    $signup_id  Signup ID.
     828         * @param string $hashed     The user's hashed activation key.
    811829         */
    812         do_action( 'after_signup_user', $user, $user_email, $key, $meta );
     830        do_action( 'after_signup_user', $user, $user_email, $key, $meta, $wpdb->insert_id, $hashed );
    813831}
    814832
    815833/**
     
    835853 * @param string $user_email The user's email address.
    836854 * @param string $key        The activation key created in wpmu_signup_blog()
    837855 * @param array  $meta       Optional. Signup meta data. By default, contains the requested privacy setting and lang_id.
     856 * @param int    $signup_id  Signup ID.
    838857 * @return bool
    839858 */
    840 function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array() ) {
     859function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array(), $signup_id ) {
    841860        /**
    842861         * Filters whether to bypass the new site email notification.
    843862         *
     
    857876
    858877        // Send email with activation link.
    859878        if ( !is_subdomain_install() || get_current_network_id() != 1 )
    860                 $activate_url = network_site_url("wp-activate.php?key=$key");
     879                $activate_url = network_site_url( "wp-activate.php?key=$key&signup_id=$signup_id" );
    861880        else
    862                 $activate_url = "http://{$domain}{$path}wp-activate.php?key=$key"; // @todo use *_url() API
     881                $activate_url = "http://{$domain}{$path}wp-activate.php?key=$key&signup_id=$signup_id"; // @todo use *_url() API
    863882
    864883        $activate_url = esc_url($activate_url);
    865884        $admin_email = get_site_option( 'admin_email' );
     
    949968 * @param string $user_email The user's email address.
    950969 * @param string $key        The activation key created in wpmu_signup_user()
    951970 * @param array  $meta       Optional. Signup meta data. Default empty array.
     971 * @param int    $signup_id  Signup ID.
    952972 * @return bool
    953973 */
    954 function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array() ) {
     974function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array(), $signup_id ) {
    955975        /**
    956976         * Filters whether to bypass the email notification for new user sign-up.
    957977         *
     
    9921012                        __( "To activate your user, please click the following link:\n\n%s\n\nAfter you activate, you will receive *another email* with your login." ),
    9931013                        $user_login, $user_email, $key, $meta
    9941014                ),
    995                 site_url( "wp-activate.php?key=$key" )
     1015                site_url( "wp-activate.php?key=$key&signup_id=$signup_id" )
    9961016        );
    9971017        // TODO: Don't hard code activation link.
    9981018        $subject = sprintf(
     
    10371057 * @global wpdb $wpdb WordPress database abstraction object.
    10381058 *
    10391059 * @param string $key The activation key provided to the user.
     1060 * @param int $signup_id The Signup ID.
    10401061 * @return array|WP_Error An array containing information about the activated user and/or blog
    10411062 */
    1042 function wpmu_activate_signup($key) {
    1043         global $wpdb;
     1063function wpmu_activate_signup( $key, $signup_id ) {
     1064        global $wpdb, $wp_hasher;
    10441065
    1045         $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE activation_key = %s", $key) );
     1066        $signup = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE activation_key = %s OR signup_id = %d", $key, $signup_id ) );
    10461067
    1047         if ( empty( $signup ) )
     1068        if ( empty( $signup ) ) {
     1069                return new WP_Error( 'invalid_id', __( 'Invalid signup ID.' ) );
     1070        }
     1071
     1072        if ( empty( $wp_hasher ) ) {
     1073                $wp_hasher = new PasswordHash( 8, true );
     1074        }
     1075
     1076        if ( $key === $signup->activation_key ) {
     1077                return new WP_Error( 'expired_key', __( 'Invalid key' ) );
     1078        }
     1079
     1080        if ( false !== strpos( $signup->activation_key, ':' ) ) {
    10481081                return new WP_Error( 'invalid_key', __( 'Invalid activation key.' ) );
     1082        }
    10491083
     1084        list( $pass_request_time, $signup_key ) = explode( ':', $signup->activation_key, 2 );
     1085
     1086        if ( ! $wp_hasher->CheckPassword( $key, $signup_key ) ) {
     1087                return new WP_Error( 'invalid_key', __( 'Invalid activation key.' ) );
     1088        }
     1089
     1090        /**
     1091         * Filters the expiration time of password reset keys.
     1092         *
     1093         * @since 5.0
     1094         *
     1095         * @param int $expiration_duration The expiration time in seconds.
     1096         */
     1097        $expiration_duration = apply_filters( 'activate_signup_expiration', DAY_IN_SECONDS );
     1098        $expiration_time     = $pass_request_time + $expiration_duration;
     1099
     1100        if ( time() < $expiration_time ) {
     1101                return new WP_Error( 'expired_key', __( 'Invalid key' ) );
     1102        }
     1103
    10501104        if ( $signup->active ) {
    10511105                if ( empty( $signup->domain ) )
    10521106                        return new WP_Error( 'already_active', __( 'The user is already active.' ), $signup );