WordPress.org

Make WordPress Core

Ticket #38474: 38474.4.patch

File 38474.4.patch, 11.8 KB (added by bor0, 22 months ago)

Bugfixes after local testings and code reorganization

  • wp-activate.php

     
    8181                            <label for="key"><?php _e('Activation Key:') ?></label>
    8282                            <br /><input type="text" name="key" id="key" value="" size="50" />
    8383                        </p>
     84                        <p>
     85                            <label for="key"><?php _e( 'Signup ID:' ) ?></label>
     86                            <br /><input type="number" name="signup_id" id="signup_id" value="" size="50" />
     87                        </p>
    8488                        <p class="submit">
    8589                            <input id="submit" type="submit" name="Submit" class="submit" value="<?php esc_attr_e('Activate') ?>" />
    8690                        </p>
     
    8892
    8993        <?php } else {
    9094
    91                 $key = !empty($_GET['key']) ? $_GET['key'] : $_POST['key'];
    92                 $result = wpmu_activate_signup( $key );
     95                $key = ! empty( $_GET['key'] ) ? $_GET['key'] : $_POST['key'];
     96                $signup_id = ! empty( $_GET['signup_id'] ) ? $_GET['signup_id'] : $_POST['signup_id'];
     97                $result = wpmu_activate_signup( $key, $signup_id );
    9398                if ( is_wp_error($result) ) {
    9499                        if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) {
    95100                                $signup = $result->get_error_data();
  • wp-admin/user-new.php

     
    158158                        }
    159159                        wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );
    160160                        if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
    161                                 $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
    162                                 $new_user = wpmu_activate_signup( $key );
     161                                $row = $wpdb->get_row( $wpdb->prepare( "SELECT activation_key, signup_id FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
     162                                $new_user = wpmu_activate_signup( $row['activation_key'], $row['signup_id'] );
    163163                                if ( is_wp_error( $new_user ) ) {
    164164                                        $redirect = add_query_arg( array( 'update' => 'addnoconfirmation' ), 'user-new.php' );
    165165                                } elseif ( ! is_user_member_of_blog( $new_user['user_id'] ) ) {
  • wp-includes/ms-default-filters.php

     
    2626add_action( 'wpmu_new_user', 'newuser_notify_siteadmin' );
    2727add_action( 'wpmu_activate_user', 'add_new_user_to_blog', 10, 3 );
    2828add_action( 'wpmu_activate_user', 'wpmu_welcome_user_notification', 10, 3 );
    29 add_action( 'after_signup_user', 'wpmu_signup_user_notification', 10, 4 );
     29add_action( 'after_signup_user', 'wpmu_signup_user_notification', 10, 5 );
    3030add_action( 'network_site_new_created_user',   'wp_send_new_user_notifications' );
    3131add_action( 'network_site_users_created_user', 'wp_send_new_user_notifications' );
    3232add_action( 'network_user_new_created_user',   'wp_send_new_user_notifications' );
     
    4040add_action( 'wpmu_new_blog', 'wpmu_log_new_registrations', 10, 2 );
    4141add_action( 'wpmu_new_blog', 'newblog_notify_siteadmin', 10, 2 );
    4242add_action( 'wpmu_activate_blog', 'wpmu_welcome_notification', 10, 5 );
    43 add_action( 'after_signup_site', 'wpmu_signup_blog_notification', 10, 7 );
     43add_action( 'after_signup_site', 'wpmu_signup_blog_notification', 10, 8 );
    4444
    4545// Register Nonce
    4646add_action( 'signup_hidden_fields', 'signup_nonce_fields' );
  • wp-includes/ms-functions.php

     
    704704 * @param array  $meta       Optional. Signup meta data. By default, contains the requested privacy setting and lang_id.
    705705 */
    706706function wpmu_signup_blog( $domain, $path, $title, $user, $user_email, $meta = array() )  {
    707         global $wpdb;
     707        global $wpdb, $wp_hasher;
    708708
    709709        $key = substr( md5( time() . wp_rand() . $domain ), 0, 16 );
    710710
     711        if ( empty( $wp_hasher ) ) {
     712                require_once ABSPATH . WPINC . '/class-phpass.php';
     713                $wp_hasher = new PasswordHash( 8, true );
     714        }
     715
     716        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     717
    711718        /**
    712719         * Filters the metadata for a site signup.
    713720         *
     
    722729         * @param string $user       The user's requested login name.
    723730         * @param string $user_email The user's email address.
    724731         * @param string $key        The user's activation key.
     732         * @param string $hashed     The user's hashed activation key.
    725733         */
    726         $meta = apply_filters( 'signup_site_meta', $meta, $domain, $path, $title, $user, $user_email, $key );
     734        $meta = apply_filters( 'signup_site_meta', $meta, $domain, $path, $title, $user, $user_email, $key, $hashed );
    727735
    728736        $wpdb->insert( $wpdb->signups, array(
    729737                'domain' => $domain,
     
    732740                'user_login' => $user,
    733741                'user_email' => $user_email,
    734742                'registered' => current_time('mysql', true),
    735                 'activation_key' => $key,
     743                'activation_key' => $hashed,
    736744                'meta' => serialize( $meta )
    737745        ) );
    738746
     
    748756         * @param string $user_email The user's email address.
    749757         * @param string $key        The user's activation key.
    750758         * @param array  $meta       Signup meta data. By default, contains the requested privacy setting and lang_id.
     759         * @param int    $signup_id  Signup ID.
     760         * @param string $hashed     The user's hashed activation key.
    751761         */
    752         do_action( 'after_signup_site', $domain, $path, $title, $user, $user_email, $key, $meta );
     762        do_action( 'after_signup_site', $domain, $path, $title, $user, $user_email, $key, $meta, $wpdb->insert_id, $hashed );
    753763}
    754764
    755765/**
     
    767777 * @param array  $meta       Optional. Signup meta data. Default empty array.
    768778 */
    769779function wpmu_signup_user( $user, $user_email, $meta = array() ) {
    770         global $wpdb;
     780        global $wpdb, $wp_hasher;
    771781
    772782        // Format data
    773783        $user = preg_replace( '/\s+/', '', sanitize_user( $user, true ) );
     
    774784        $user_email = sanitize_email( $user_email );
    775785        $key = substr( md5( time() . wp_rand() . $user_email ), 0, 16 );
    776786
     787        if ( empty( $wp_hasher ) ) {
     788                require_once ABSPATH . WPINC . '/class-phpass.php';
     789                $wp_hasher = new PasswordHash( 8, true );
     790        }
     791
     792        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     793
    777794        /**
    778795         * Filters the metadata for a user signup.
    779796         *
     
    785802         * @param string $user       The user's requested login name.
    786803         * @param string $user_email The user's email address.
    787804         * @param string $key        The user's activation key.
     805         * @param string $hashed     The user's hashed activation key.
    788806         */
    789         $meta = apply_filters( 'signup_user_meta', $meta, $user, $user_email, $key );
     807        $meta = apply_filters( 'signup_user_meta', $meta, $user, $user_email, $key, $hashed );
    790808
    791809        $wpdb->insert( $wpdb->signups, array(
    792810                'domain' => '',
     
    795813                'user_login' => $user,
    796814                'user_email' => $user_email,
    797815                'registered' => current_time('mysql', true),
    798                 'activation_key' => $key,
     816                'activation_key' => $hashed,
    799817                'meta' => serialize( $meta )
    800818        ) );
    801819
     
    808826         * @param string $user_email The user's email address.
    809827         * @param string $key        The user's activation key.
    810828         * @param array  $meta       Signup meta data. Default empty array.
     829         * @param int    $signup_id  Signup ID.
     830         * @param string $hashed     The user's hashed activation key.
    811831         */
    812         do_action( 'after_signup_user', $user, $user_email, $key, $meta );
     832        do_action( 'after_signup_user', $user, $user_email, $key, $meta, $wpdb->insert_id, $hashed );
    813833}
    814834
    815835/**
     
    835855 * @param string $user_email The user's email address.
    836856 * @param string $key        The activation key created in wpmu_signup_blog()
    837857 * @param array  $meta       Optional. Signup meta data. By default, contains the requested privacy setting and lang_id.
     858 * @param int    $signup_id  Signup ID.
    838859 * @return bool
    839860 */
    840 function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array() ) {
     861function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array(), $signup_id ) {
    841862        /**
    842863         * Filters whether to bypass the new site email notification.
    843864         *
     
    857878
    858879        // Send email with activation link.
    859880        if ( !is_subdomain_install() || get_current_network_id() != 1 )
    860                 $activate_url = network_site_url("wp-activate.php?key=$key");
     881                $activate_url = network_site_url( "wp-activate.php?key=$key&signup_id=$signup_id" );
    861882        else
    862                 $activate_url = "http://{$domain}{$path}wp-activate.php?key=$key"; // @todo use *_url() API
     883                $activate_url = "http://{$domain}{$path}wp-activate.php?key=$key&signup_id=$signup_id"; // @todo use *_url() API
    863884
    864885        $activate_url = esc_url($activate_url);
    865886        $admin_email = get_site_option( 'admin_email' );
     
    949970 * @param string $user_email The user's email address.
    950971 * @param string $key        The activation key created in wpmu_signup_user()
    951972 * @param array  $meta       Optional. Signup meta data. Default empty array.
     973 * @param int    $signup_id  Signup ID.
    952974 * @return bool
    953975 */
    954 function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array() ) {
     976function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array(), $signup_id ) {
    955977        /**
    956978         * Filters whether to bypass the email notification for new user sign-up.
    957979         *
     
    9921014                        __( "To activate your user, please click the following link:\n\n%s\n\nAfter you activate, you will receive *another email* with your login." ),
    9931015                        $user_login, $user_email, $key, $meta
    9941016                ),
    995                 site_url( "wp-activate.php?key=$key" )
     1017                site_url( "wp-activate.php?key=$key&signup_id=$signup_id" )
    9961018        );
    9971019        // TODO: Don't hard code activation link.
    9981020        $subject = sprintf(
     
    10371059 * @global wpdb $wpdb WordPress database abstraction object.
    10381060 *
    10391061 * @param string $key The activation key provided to the user.
     1062 * @param int $signup_id The Signup ID.
    10401063 * @return array|WP_Error An array containing information about the activated user and/or blog
    10411064 */
    1042 function wpmu_activate_signup($key) {
    1043         global $wpdb;
     1065function wpmu_activate_signup( $key, $signup_id ) {
     1066        global $wpdb, $wp_hasher;
    10441067
    1045         $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE activation_key = %s", $key) );
     1068        $signup = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE activation_key = %s OR signup_id = %d", $key, $signup_id ) );
    10461069
    1047         if ( empty( $signup ) )
     1070        if ( empty( $signup ) ) {
     1071                return new WP_Error( 'invalid_id', __( 'Invalid signup ID.' ) );
     1072        }
     1073
     1074        // If the key requested matches the actual key in the database, it's a legacy one.
     1075        if ( $key === $signup->activation_key ) {
     1076                return new WP_Error( 'expired_key', __( 'Invalid key' ) );
     1077        }
     1078
     1079        // The format of the new keys is <timestamp>:<hashed_key>.
     1080        if ( false === strpos( $signup->activation_key, ':' ) ) {
    10481081                return new WP_Error( 'invalid_key', __( 'Invalid activation key.' ) );
     1082        }
    10491083
     1084        if ( empty( $wp_hasher ) ) {
     1085                require_once ABSPATH . WPINC . '/class-phpass.php';
     1086                $wp_hasher = new PasswordHash( 8, true );
     1087        }
     1088
     1089        list( $pass_request_time, $signup_key ) = explode( ':', $signup->activation_key, 2 );
     1090
     1091        if ( ! $wp_hasher->CheckPassword( $key, $signup_key ) ) {
     1092                return new WP_Error( 'invalid_key', __( 'Invalid activation key.' ) );
     1093        }
     1094
     1095        /**
     1096         * Filters the expiration time of signup activation keys.
     1097         *
     1098         * @since 5.0
     1099         *
     1100         * @param int $expiration_duration The expiration time in seconds.
     1101         */
     1102        $expiration_duration = apply_filters( 'activate_signup_expiration', DAY_IN_SECONDS );
     1103        $expiration_time     = $pass_request_time + $expiration_duration;
     1104
     1105        if ( time() > $expiration_time ) {
     1106                return new WP_Error( 'expired_key', __( 'Invalid key' ) );
     1107        }
     1108
    10501109        if ( $signup->active ) {
    10511110                if ( empty( $signup->domain ) )
    10521111                        return new WP_Error( 'already_active', __( 'The user is already active.' ), $signup );