WordPress.org

Make WordPress Core

Ticket #43856: 43856.2.diff

File 43856.2.diff, 4.3 KB (added by garrett-eclipse, 16 months ago)

Refreshed patch and included text for default privacy policy content

  • src/wp-admin/includes/class-wp-privacy-policy-content.php

     
    584584                        $strings[] = '<p class="privacy-policy-tutorial">' . __( 'By default WordPress does not share any personal data with anyone.' ) . '</p>';
    585585                }
    586586
     587                /* translators: Default privacy policy text. */
     588                $strings[] = '<p>' . $suggested_text . __( 'If you request a reset of your password, your IP address will be included in the reset email.' ) . '</p>';
     589
    587590                /* translators: Default privacy policy heading. */
    588591                $strings[] = '<h2>' . __( 'How long we retain your data' ) . '</h2>';
    589592
  • src/wp-includes/functions.php

     
    76357635function wp_fuzzy_number_match( $expected, $actual, $precision = 1 ) {
    76367636        return abs( (float) $expected - (float) $actual ) <= $precision;
    76377637}
     7638
     7639/**
     7640 * Determines the user's actual IP address and attempts to partially
     7641 * anonymize an IP address by converting it to a network ID.
     7642 *
     7643 * Geolocating the network ID usually returns a similar location as the
     7644 * actual IP, but provides some privacy for the user.
     7645 *
     7646 * $_SERVER['REMOTE_ADDR'] cannot be used in all cases, such as when the user
     7647 * is making their request through a proxy, or when the web server is behind
     7648 * a proxy. In those cases, $_SERVER['REMOTE_ADDR'] is set to the proxy address rather
     7649 * than the user's actual address.
     7650 *
     7651 * Modified from https://stackoverflow.com/a/2031935/450127, MIT license.
     7652 * Modified from https://github.com/geertw/php-ip-anonymizer, MIT license.
     7653 *
     7654 * SECURITY WARNING: This function is _NOT_ intended to be used in
     7655 * circumstances where the authenticity of the IP address matters. This does
     7656 * _NOT_ guarantee that the returned address is valid or accurate, and it can
     7657 * be easily spoofed.
     7658 *
     7659 * @since 5.6.0
     7660 *
     7661 * @return string|false The anonymized address on success; or false on failure.
     7662 */
     7663function wp_get_unsafe_client_ip() {
     7664        $client_ip = false;
     7665
     7666        // In order of preference, with the best ones for this purpose first.
     7667        $address_headers = array(
     7668                'HTTP_CLIENT_IP',
     7669                'HTTP_X_FORWARDED_FOR',
     7670                'HTTP_X_FORWARDED',
     7671                'HTTP_X_CLUSTER_CLIENT_IP',
     7672                'HTTP_FORWARDED_FOR',
     7673                'HTTP_FORWARDED',
     7674                'REMOTE_ADDR',
     7675        );
     7676
     7677        foreach ( $address_headers as $header ) {
     7678                if ( array_key_exists( $header, $_SERVER ) ) {
     7679                        /*
     7680                         * HTTP_X_FORWARDED_FOR can contain a chain of comma-separated
     7681                         * addresses. The first one is the original client. It can't be
     7682                         * trusted for authenticity, but we don't need to for this purpose.
     7683                         */
     7684                        $address_chain = explode( ',', $_SERVER[ $header ] );
     7685                        $client_ip     = trim( $address_chain[0] );
     7686
     7687                        break;
     7688                }
     7689        }
     7690
     7691        if ( ! $client_ip ) {
     7692                return false;
     7693        }
     7694
     7695        $anon_ip = wp_privacy_anonymize_ip( $client_ip, true );
     7696
     7697        if ( '0.0.0.0' === $anon_ip || '::' === $anon_ip ) {
     7698                return false;
     7699        }
     7700
     7701        return $anon_ip;
     7702}
  • src/wp-login.php

     
    434434        $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
    435435        $message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n";
    436436        $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
    437         $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n";
     437        $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n\r\n";
    438438
     439        $requestor_ip = wp_get_unsafe_client_ip();
     440        if ( $requestor_ip ) {
     441                $message .= sprintf(
     442                        /* translators: %s: IP address of password reset requestor. */
     443                        __( 'This password reset request originated from the IP address %s.' ),
     444                        wp_get_unsafe_client_ip()
     445                ) . "\r\n";
     446        }
     447
    439448        /* translators: Password reset notification email subject. %s: Site title. */
    440449        $title = sprintf( __( '[%s] Password Reset' ), $site_name );
    441450