Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#39720 closed defect (bug) (invalid)

retrieve_password_key returning strings including special characters that in a link is url encoded

Reported by: dejliglama's profile dejliglama Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.1
Component: Users Keywords: close
Focuses: Cc:

Description

The link sent out in mail to create new password sometimes holds characters like $

When clicking the link, that is transformed into %24 (or other possible URL encodings).

The form is loaded niceley, but uppon submitting the form, an "invalid key" error is shown. - rightly so, since they key isn't valid.

The issue is the characters that is used to create the keys.

Change History (4)

#1 @johnbillion
8 years ago

  • Keywords reporter-feedback close added

Thanks for the report, @dejliglama.

The password reset key intentionally does not include special characters such as punctuation. See: https://core.trac.wordpress.org/browser/trunk/src/wp-includes/user.php?rev=39600&marks=2110#L2108 (note that false is passed as the second parameter to wp_generate_password()).

Are you using a plugin on your site which overrides the password reset process?

#2 @dejliglama
8 years ago

  • Keywords reporter-feedback removed
  • Resolution set to worksforme
  • Status changed from new to closed

#3 @dejliglama
8 years ago

Found the issue in a plugin - as you mentioned...

#4 @johnbillion
8 years ago

  • Milestone Awaiting Review deleted
  • Resolution changed from worksforme to invalid

Thanks for letting us know :-)

Note: See TracTickets for help on using tickets.