Make WordPress Core

Opened 9 years ago

Last modified 4 years ago

#34372 new defect (bug)

Password reset link invalid for user names containing blanks

Reported by: ditler's profile ditler Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.3.1
Component: Login and Registration Keywords: reporter-feedback
Focuses: Cc:

Description

When a user name contains a blank, resetting the corresponding password. The URL in the reset email will contain a blank, at which point the link will be interrupted.

Attachments (1)

Bildschirmfoto 2015-10-21 um 05.35.14.png (20.9 KB) - added by ditler 9 years ago.

Download all attachments as: .zip

Change History (9)

#1 @swissspidy
9 years ago

  • Component changed from General to Login and Registration

The username is encoded using rawurlencode and the email content looks like this for the user user with space:

To reset your password, visit the following address:

<http://src.wordpress-develop.dev/wp-login.php?action=rp&key=jwLFZG4imEmMiJHeOb0b&login=user%20with%20space>

Seems correct to me. Which email client did you experience this?

#2 @johnbillion
9 years ago

  • Keywords reporter-feedback added

#3 @ditler
9 years ago

While I do not have deep insight in what role the email client might have here, there is definitely a problem - I tried it with and without the plugin WP Better EMails.

I am using GoogleMail online and experience the problem with the Gmail interface, the Inbox interface and the Android app. Another person has reported the problem using a different email provider, though I do not know which client was used.

I attached the link as I see it when the mails arrives (no plugins).

This is part of the raw email I see when I click "show original" in Gmail:

X-Priority: 3
X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Jemand hat das Zurücksetzen des Passworts für folgendes Benutzerkonto angefordert:

https://www.blablabla.de/

Benutzername: Test User name

Falls dies nicht beabsichtigt war, ignoriere einfach diese E-Mail. Es wird dann nichts passieren.

Um dein Passwort zurückzusetzen, besuche folgende Adresse:

<https://www.blablabla.de/pipapo/?action=rp&key=2dB2dSXj3d1JzZ15D7uM&login=Test User name>
Last edited 9 years ago by ditler (previous) (diff)

#4 @SergeyBiryukov
9 years ago

Could not reproduce on a clean install. Here's the raw email:

X-Priority: 3
X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Someone requested that the password be reset for the following account:

http://develop.wordpress/src/

Username: Test User name

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

<http://develop.wordpress/src/wp-login.php?action=rp&key=plARTJUCFXY8TEvEFADV&login=Test%20User%20name>

Does the issue still happen with all plugins disabled and a default theme (Twenty Fifteen) activated?

#5 @bluepunk
8 years ago

I've been experiencing the same issue. What I discovered so far:

A. Lastname is correctly translated to A.%20Lastname
A. de Lastname is not correctly translated. This ends up as A.20Lastname.

I'm starting to think its trying to interpret the %20de as a single utf-8 character.

I'll conduct a few more tests to see if I can confirm this.

Last edited 8 years ago by bluepunk (previous) (diff)

#6 @ocean90
7 years ago

#42038 was marked as a duplicate.

#8 @SergeyBiryukov
4 years ago

#52285 was marked as a duplicate.

Note: See TracTickets for help on using tickets.