WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#40356 closed enhancement (duplicate)

Broken reset password link

Reported by: ikalkov Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.3
Component: Login and Registration Keywords:
Focuses: Cc:
PR Number:

Description

After the registration or password reset, the user receives an email like this:

WordPress - [Project] Password Reset
Someone has requested a password reset for the following account:
https://abcd/

Username: efgh

If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
<https://abcd/login?action=rp&key=w7NfjFe4bzB278EqJnty&login=efgh>

Which is OK so far. Unfortunately, some e-mail clients append the trailing ">" to the username on click, opening the following wrong URL:

https://abcd/login?action=rp&key=w7NfjFe4bzB278EqJnty&login=efgh%3E

This leads to the error message "Your password reset link appears to be invalid. Please request a new link below." and the process starts all over again. In the last 24 hours we have received more than messages from confused customers who doesn't pay close attention to the URL.
The corresponding source code in wp-login.php explains the issue:

 $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";

I'm not sure why exactly the address has to be put into angle brackets. Can they be removed or can we at least put some separator (like "&") at the end of the username?

Change History (2)

#1 @swissspidy
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hey there, welcome to Trac and thanks for your report.

This issue generally happens if a plugin or theme uses wp_mail_content_type filter to change the MIME type to text/html for all outgoing emails, but does not perform any further processing to make sure the HTML is valid. The solution in that case is to stop doing that and only enable that filter where needed.

See #39742, #21095 for more info and #14140 for the reason they're there.

#2 @ikalkov
3 years ago

Oh my gosh, that was fast! Thank you so much, somehow I didn't find that last ticket, which actually explains all of it :)

Note: See TracTickets for help on using tickets.