Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#10589 closed defect (bug) (invalid)

Changeset 11804 breaks password reminder

Reported by: Denis-de-Bernardy Owned by: westi
Milestone: Priority: normal
Severity: normal Version: 2.8.3
Component: Security Keywords: has-patch reporter-feedback
Focuses: Cc:


Shouldn't it also try the email?

Attachments (1)

email.diff (668 bytes) - added by Denis-de-Bernardy 11 years ago.

Download all attachments as: .zip

Change History (8)

#1 @Denis-de-Bernardy
11 years ago

  • Keywords has-patch added
  • Summary changed from Changeset 10804 breaks password reminder to Changeset 11804 breaks password reminder

#2 follow-up: @westi
11 years ago

  • Keywords reporter-feedback added
  • Owner changed from ryan to westi
  • Priority changed from high to normal
  • Severity changed from blocker to normal
  • Status changed from new to accepted

Why do we need to check the email.

This code is processing the link that the user clicks on or copies from the email they are sent by the password reset request form.

The data is never user entered and the email contains the username even when they specify an email address.

#3 @azaozz
11 years ago

Exactly, the user_login is included in the custom URL in the password reset email (line 164). Where would the user_email come from so it limits the query on line 196?

#4 in reply to: ↑ 2 @Denis-de-Bernardy
11 years ago

Replying to westi:

Why do we need to check the email.

Because, if you use the form, it says enter your username or email. That would be why.

#5 @Denis-de-Bernardy
11 years ago

You would know that if you had paid attention when you tried the patch. ;-)

#6 @Denis-de-Bernardy
11 years ago

  • Resolution set to invalid
  • Status changed from accepted to closed

but then ok, it's still working. my bad. I must confess I hadn't tested at all. :-P

#7 @Denis-de-Bernardy
11 years ago

  • Milestone 2.8.4 deleted
Note: See TracTickets for help on using tickets.