Make WordPress Core

Opened 3 years ago

Last modified 6 months ago

#42957 new defect (bug)

Usernames ending in a period generate invalid reset password links in certain email clients

Reported by: paulcline Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords: has-patch
Focuses: Cc:


Password reset links contain the username appended to the end of the URL. If the user name ends in a period the email client has to decide if the period is part of the URL or part of the punctuation of the sentence. For example:


Gmail generates a clickable link that stops short of the final period. Outlook successfully links the entire URL.

Attachments (2)

42957-password-reset-username-ending-in-period.diff (870 bytes) - added by paulcline 3 years ago.
42957-password-reset-username-ending-in-period-v2.diff (1.6 KB) - added by paulcline 3 years ago.

Download all attachments as: .zip

Change History (7)

#1 @paulcline
3 years ago

  • Keywords has-patch added

#2 @paulcline
3 years ago

Periods are valid in URLs, but we can avoid the issue by forcing "." to encode to "%2E" when generating the link in the email. PHP automatically converts the "%2E" back to "." when it's passed into the receiving side.

#3 @obrienlabs
3 years ago

It looks like this type of email can be sent out in 2 scenarios that I can find.

  1. New user email with a link to access their account
  2. Password reset.

I can confirm that both are broken for me in GMail, too. When clicking the link in GMail I get invalid token. I tested with the thick Outlook client and outlook.com webmail and both of those worked fine. Seems isolated to GMail. Given how many people use gmail this seems like a good one to fix.

Your initial patch fixed the Reset Password process with a test user.

Could you update the patch for the new user email process as well?

#4 @pento
2 years ago

  • Version trunk deleted

#5 @daveagp
6 months ago

It would be great to fix this bug, which I discovered as the source of pain for my users for years (and me, since I usually have to do a manual reset for them).

I see it's been dormant for a while, but I also see the fix. How can I help this fix go in?

Note: See TracTickets for help on using tickets.