Opened 9 years ago
Closed 8 years ago
#36322 closed defect (bug) (fixed)
Password reset form fails when email address includes apostrophes.
Reported by: | dcavins | Owned by: | boonebgorges |
---|---|---|---|
Milestone: | 4.6 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
If a user's email address contains an apostrophe, the get_user_by()
lookup fails because it's checking an email address that's been slashed to travel via $_POST
. The conservative fix (patch attached) is to add wp_unslash
to retrieve_password()
, which is in the spirit of a related fix for adding users via the dashboard, r29966.
I also wonder about adding wp_unslash()
to get_user_by( 'email' )
generally so that this problem is fixed everywhere, but the unintended consequences of that change could be bigger than I imagine.
Thanks!
Attachments (2)
Change History (13)
#2
@
9 years ago
- Component changed from Users to Login and Registration
- Keywords 4.6-early added
- Milestone changed from Awaiting Review to Future Release
- Version trunk deleted
Thanks for the patch!
#4
@
9 years ago
Good catch @dcavins! A unit test validating the issue and fix would be helpful here.
#5
@
9 years ago
I'd love to write a unit test for this, but I can't figure out how to load wp-login.php
at the time of the test. The function I'm testing, retrieve_password()
, isn't normally available. @boonebgorges suggests that it may not be possible to test this function given the current testing setup.
#7
@
9 years ago
There's a unit test that uses an eval()
to load just the PHP functions in "wp-login.php".
#8
@
8 years ago
- Keywords 4.6-early needs-unit-tests removed
- Milestone changed from Future Release to 4.6
#10
@
8 years ago
@gitlost Thank you for your heroic efforts at making wp-login testable. However, I think we would be far better served by (a) moving login-related functions to a different file (see #35829 and friends), and (b) adopting a proper system for browsers tests (see #34693). The current fix is simple enough that we'll forgo the tests.
Un-slash posted email addresses before attempting get_user_by.