Changeset 25696 breaks expected value of argument sent to filter 'retrieve_password_message'
|Reported by:||dcavins||Owned by:||johnbillion|
Description (last modified by SergeyBiryukov)
In changeset  to wp-login.php, the function 'retrieve_password' was changed to hash the generated key about line 350:
$hashed = $wp_hasher->HashPassword( $key );
However, the filter 'retrieve_password_message' is still sending $key as an argument, line 385
$message = apply_filters( 'retrieve_password_message', $message, $key );
So any existing filters are no longer receiving the value stored in the database (which matters because filtering 'retrieve_password_message' almost has to include a search on that value to get the requestor's user_login, which is required for the password reset link to work).
A simple fix is changing line 385 to
$message = apply_filters( 'retrieve_password_message', $message, $hashed );
Thanks for the great software!
Change History (16)
- Component changed from General to Users
- Description modified (diff)
- Milestone changed from Awaiting Review to 3.7.2
- Version changed from 3.7.1 to 3.7
comment:10 @johnbillion — 9 months ago
- Keywords needs-docs added; 2nd-opinion removed
- Milestone changed from Future Release to 4.1