WordPress.org

Make WordPress Core

Opened 22 months ago

Last modified 9 months ago

#42957 new defect (bug)

Usernames ending in a period generate invalid reset password links in certain email clients

Reported by: paulcline Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords: has-patch
Focuses: Cc:
PR Number:

Description

Password reset links contain the username appended to the end of the URL. If the user name ends in a period the email client has to decide if the period is part of the URL or part of the punctuation of the sentence. For example:

<https://some-wordpress-site.com/wp-login.php?action=rp&key=V4LSmgBcwtqvFPEiFt0e&login=p.o.>

Gmail generates a clickable link that stops short of the final period. Outlook successfully links the entire URL.

Attachments (2)

42957-password-reset-username-ending-in-period.diff (870 bytes) - added by paulcline 22 months ago.
42957-password-reset-username-ending-in-period-v2.diff (1.6 KB) - added by paulcline 22 months ago.

Download all attachments as: .zip

Change History (6)

#1 @paulcline
22 months ago

  • Keywords has-patch added

#2 @paulcline
22 months ago

Periods are valid in URLs, but we can avoid the issue by forcing "." to encode to "%2E" when generating the link in the email. PHP automatically converts the "%2E" back to "." when it's passed into the receiving side.

#3 @obrienlabs
22 months ago

It looks like this type of email can be sent out in 2 scenarios that I can find.

  1. New user email with a link to access their account
  2. Password reset.

I can confirm that both are broken for me in GMail, too. When clicking the link in GMail I get invalid token. I tested with the thick Outlook client and outlook.com webmail and both of those worked fine. Seems isolated to GMail. Given how many people use gmail this seems like a good one to fix.

Your initial patch fixed the Reset Password process with a test user.

Could you update the patch for the new user email process as well?

#4 @pento
9 months ago

  • Version trunk deleted
Note: See TracTickets for help on using tickets.