WordPress.org

Make WordPress Core

Changeset 30418


Ignore:
Timestamp:
11/20/14 12:22:03 (2 years ago)
Author:
nacin
Message:

Form validation for password resets.

Merges [30417] to the 4.0 branch.

Location:
branches/4.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.0

  • branches/4.0/src/wp-login.php

    r29644 r30418  
    572572        list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 ); 
    573573        $user = check_password_reset_key( $rp_key, $rp_login ); 
     574        if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) { 
     575            $user = false; 
     576        } 
    574577    } else { 
    575578        $user = false; 
     
    641644    do_action( 'resetpass_form', $user ); 
    642645    ?> 
     646    <input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" /> 
    643647    <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p> 
    644648</form> 
Note: See TracChangeset for help on using the changeset viewer.