Make WordPress Core

Changeset 30418


Ignore:
Timestamp:
11/20/2014 12:22:03 PM (9 years ago)
Author:
nacin
Message:

Form validation for password resets.

Merges [30417] to the 4.0 branch.

Location:
branches/4.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.0

  • branches/4.0/src/wp-login.php

    r29644 r30418  
    572572        list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
    573573        $user = check_password_reset_key( $rp_key, $rp_login );
     574        if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
     575            $user = false;
     576        }
    574577    } else {
    575578        $user = false;
     
    641644    do_action( 'resetpass_form', $user );
    642645    ?>
     646    <input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
    643647    <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p>
    644648</form>
Note: See TracChangeset for help on using the changeset viewer.