Changeset 30420 for branches/3.8

Timestamp:

11/20/2014 12:24:15 PM (10 years ago)

Author:

nacin

Message:

Form validation for password resets.

Merges [30417] to the 3.8 branch.

Location:

branches/3.8

Files:

• . (modified) (1 prop)
• src/wp-login.php (modified) (2 diffs)

branches/3.8/src/wp-login.php

@@ -576 +576 @@
         list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
         $user = check_password_reset_key( $rp_key, $rp_login );
+        if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
+            $user = false;
+        }
     } else {
         $user = false;
@@ -634 +637 @@
 
     <br class="clear" />
+    <input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
     <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p>
 </form>