#23420 closed enhancement (wontfix)
Lost password, invalid key - noticed something
Reported by: | demonpengu | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.5.1 |
Component: | Keywords: | ||
Focuses: | Cc: |
Description
Hi there,
I have noticed something about the lost password/email retrieval that may be a bug or may help out with the number of requests this gets.
The link sent with the key and user name is surrounded with < and >
Some email clients are misinterpreting this link and including the > at the end of the user name which in turn kills the database query because the user name does not match.
I have run a couple of tests changing line 235 of wp-login.php to be:
$message .= network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "\r\n";
from
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
This seems to sort the problem out.
Change History (13)
#2
follow-up:
↓ 11
@
12 years ago
- Keywords close added
The link sent with the key and user name is surrounded with < and >
As noted by dd32, there's a reason for them to be there: #14140.
I wrote a couple of simple plugins to resolve this issue for some users on support forums without hacking core:
- This one removes the brackets from all password retrieval messages:
http://pastebin.com/ni7rs384 - This one does that only for a specific service that is known to misinterpret the brackets:
http://pastebin.com/1Et2yb4b
Replying to dd32:
The only times I've seen this broken, is when using a plugin which adds HTML emails to WordPress, which causes the < and > to be interpreted as a HTML element.
Related: #21095
#3
@
12 years ago
Hi There,
No email plugins.
The Kerio webmail client certainly is a problem. I will have to go investigate the others.
Andy
#6
@
11 years ago
- Keywords close removed
- Resolution set to wontfix
- Status changed from new to closed
See comment:2
#11
in reply to:
↑ 2
@
8 years ago
Replying to SergeyBiryukov:
The link sent with the key and user name is surrounded with < and >
As noted by dd32, there's a reason for them to be there: #14140.
I wrote a couple of simple plugins to resolve this issue for some users on support forums without hacking core:
- This one removes the brackets from all password retrieval messages:
http://pastebin.com/ni7rs384- This one does that only for a specific service that is known to misinterpret the brackets:
http://pastebin.com/1Et2yb4bReplying to dd32:
The only times I've seen this broken, is when using a plugin which adds HTML emails to WordPress, which causes the < and > to be interpreted as a HTML element.
Related: #21095
Not working anymore.
#12
follow-up:
↓ 13
@
8 years ago
@AirFlame
The plugin to remove the brackets from password retrieval message does work, I just tested, with it enabled and without it enabled on my staff account. Viewed the source on both emails content.
Tested in WP 4.7.3.
With it enabled
To reset your password, visit the following address: http://www.domain.com/mylogin/?action=rp&key=SnKqlAddbDRRbphtEmLm&login=username
With it disabled, default WP
To reset your password, visit the following address: <http://www.domain.com/mylogin/?action=rp&key=fFLoudqtmhS80jkIZfvt&login=username>
#13
in reply to:
↑ 12
@
8 years ago
Replying to lukecavanagh:
@AirFlame
The plugin to remove the brackets from password retrieval message does work, I just tested, with it enabled and without it enabled on my staff account. Viewed the source on both emails content.
Tested in WP 4.7.3.
With it enabled
To reset your password, visit the following address: http://www.domain.com/mylogin/?action=rp&key=SnKqlAddbDRRbphtEmLm&login=usernameWith it disabled, default WP
To reset your password, visit the following address: <http://www.domain.com/mylogin/?action=rp&key=fFLoudqtmhS80jkIZfvt&login=username>
Yes it works only for restart password but it dont work for activation link. And i dont see a way to hook to activation link somehow to delete the brackets.
What email clients have you experienced this with? Are you using any email-related plugins at all?
WordPress only uses plain text emails at present by default, and using < and > around links is the standard (for many many many years) on how to present longer links, without it, when the link gets broken up over multiple lines (which is almost a definite with plain text emails)only the first part of the link ends up getting linked in the email client, so really, they're required.
The only times I've seen this broken, is when using a plugin which adds HTML emails to WordPress, which causes the < and > to be interpreted as a HTML element.