WordPress.org
Get WordPress

Make WordPress Core

Opened 6 years ago

Closed 4 months ago

Last modified 5 weeks ago

#50072 closed defect (bug) (duplicate)

Users with email addresses containing a single quote cannot reset their passwords

Reported by: danieleperilli's profile daniele.perilli Owned by:
Milestone: Priority: normal
Severity: major Version: 5.4
Component: Users Keywords: needs-patch needs-unit-tests
Focuses: Cc:

Description

I just found that users with a single quote in their email addresses cannot reset their passwords.
This happens because there is a difference in the email addresses compared by the wp_insert_user() function.

Take a look at this example.
I have a user with an email address equal to daniel.o'brian@…
When he tries to reset his password, he receives the reset key, but his activation key is not stored in the database.
Looking at lines 1805-1808 of the file users.php I found the problem:

         if ( $update ) {
		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
			$data['user_activation_key'] = '';
		}

In the above code the variable $user_email is daniel.o'brian@…, but the $old_user_data->user_email is escaped and appears to be daniel.o\'brian@…, so there isn't the match and user activation key is cleared.

Can you confirm and provide a fix?
In the meantime, I can change this behavior by escaping the $user_email myself in the filter wp_pre_insert_user_data which is a few lines above the checking, I guess.

Thanks!

Change History (5)

#1 @daniele.perilli
6 years ago

Sorry, I inverted the values of the two variables:
$user_email is escaped = daniel.o\'brian@…
$old_user_data->user_email is not escaped = daniel.o'brian@…

#2 @SergeyBiryukov
6 years ago

  • Keywords needs-patch needs-unit-tests added

#3 @hbhalodia
6 months ago

Hi @danieleperilli @SergeyBiryukov,

I have tested the scenarios outlined above but was unable to reproduce the issue on WordPress version 6.8.1.

Here are the detailed steps I followed:

  1. Created a new user with the email new'user.test@gmail.com, ensuring the email condition was met.
  2. Navigated to the user’s profile and clicked the Send Reset Link button.
  3. The system displayed a confirmation that the reset link was sent successfully.
  4. Verified the email in MailHog, which contained the reset link with the username and key as URL parameters.
  5. Clicked the link, which correctly redirected to the “Enter New Password” page. Upon submission, the password was successfully reset, and I was able to log in using the new credentials.
  6. Additionally, I tested the same scenario using the “Forgot Password” workflow, which functioned as expected.

Based on these tests, I am unable to replicate the reported issue on WordPress 6.8.1.

Thank you.

Version 0, edited 6 months ago by hbhalodia (next)

#4 @jdeep
4 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #54416.

#5 @swissspidy
5 weeks ago

  • Milestone Awaiting Review deleted

Removing milestone from closed ticket.

Note: See TracTickets for help on using tickets.