WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 6 years ago

Last modified 2 years ago

#23420 closed enhancement (wontfix)

Lost password, invalid key - noticed something

Reported by: demonpengu Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.5.1
Component: Mail Keywords:
Focuses: Cc:

Description

Hi there,

I have noticed something about the lost password/email retrieval that may be a bug or may help out with the number of requests this gets.

The link sent with the key and user name is surrounded with < and >

Some email clients are misinterpreting this link and including the > at the end of the user name which in turn kills the database query because the user name does not match.

I have run a couple of tests changing line 235 of wp-login.php to be:

$message .= network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "\r\n";

from

$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";

This seems to sort the problem out.

Change History (13)

#1 @dd32
7 years ago

What email clients have you experienced this with? Are you using any email-related plugins at all?

WordPress only uses plain text emails at present by default, and using < and > around links is the standard (for many many many years) on how to present longer links, without it, when the link gets broken up over multiple lines (which is almost a definite with plain text emails)only the first part of the link ends up getting linked in the email client, so really, they're required.

The only times I've seen this broken, is when using a plugin which adds HTML emails to WordPress, which causes the < and > to be interpreted as a HTML element.

#2 follow-up: @SergeyBiryukov
7 years ago

  • Keywords close added

The link sent with the key and user name is surrounded with < and >

As noted by dd32, there's a reason for them to be there: #14140.

I wrote a couple of simple plugins to resolve this issue for some users on support forums without hacking core:

Replying to dd32:

The only times I've seen this broken, is when using a plugin which adds HTML emails to WordPress, which causes the < and > to be interpreted as a HTML element.

Related: #21095

Last edited 6 years ago by SergeyBiryukov (previous) (diff)

#3 @demonpengu
7 years ago

Hi There,

No email plugins.

The Kerio webmail client certainly is a problem. I will have to go investigate the others.

Andy

#5 @SergeyBiryukov
7 years ago

  • Component changed from General to Mail

#6 @c3mdigital
6 years ago

  • Keywords close removed
  • Resolution set to wontfix
  • Status changed from new to closed

See comment:2

#7 @SergeyBiryukov
6 years ago

  • Milestone Awaiting Review deleted

#8 @TobiasBg
5 years ago

#30607 was marked as a duplicate.

#9 @SergeyBiryukov
2 years ago

#40294 was marked as a duplicate.

#10 @thamaraiselvam
2 years ago

#40294 was marked as a duplicate.

#11 in reply to: ↑ 2 @AirFlame
2 years ago

Replying to SergeyBiryukov:

The link sent with the key and user name is surrounded with < and >

As noted by dd32, there's a reason for them to be there: #14140.

I wrote a couple of simple plugins to resolve this issue for some users on support forums without hacking core:

Replying to dd32:

The only times I've seen this broken, is when using a plugin which adds HTML emails to WordPress, which causes the < and > to be interpreted as a HTML element.

Related: #21095

Not working anymore.

#12 follow-up: @lukecavanagh
2 years ago

@AirFlame

The plugin to remove the brackets from password retrieval message does work, I just tested, with it enabled and without it enabled on my staff account. Viewed the source on both emails content.

Tested in WP 4.7.3.

With it enabled

To reset your password, visit the following address:

http://www.domain.com/mylogin/?action=rp&key=SnKqlAddbDRRbphtEmLm&login=username

With it disabled, default WP

To reset your password, visit the following address:

<http://www.domain.com/mylogin/?action=rp&key=fFLoudqtmhS80jkIZfvt&login=username>

#13 in reply to: ↑ 12 @AirFlame
2 years ago

Replying to lukecavanagh:

@AirFlame

The plugin to remove the brackets from password retrieval message does work, I just tested, with it enabled and without it enabled on my staff account. Viewed the source on both emails content.

Tested in WP 4.7.3.

With it enabled

To reset your password, visit the following address:

http://www.domain.com/mylogin/?action=rp&key=SnKqlAddbDRRbphtEmLm&login=username

With it disabled, default WP

To reset your password, visit the following address:

<http://www.domain.com/mylogin/?action=rp&key=fFLoudqtmhS80jkIZfvt&login=username>

Yes it works only for restart password but it dont work for activation link. And i dont see a way to hook to activation link somehow to delete the brackets.

Note: See TracTickets for help on using tickets.