Opened 8 weeks ago
Last modified 7 weeks ago
#52529 new defect (bug)
Non-slashed $old_user_data->user_email in wp_insert_user causes user_activation_key to be unset
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 2.2 |
Component: | Login and Registration | Keywords: | has-patch needs-unit-tests |
Focuses: | Cc: |
Description
WordPress now allows apostrophes in email addresses, but the forgot password process for these users fails.
$data['user_activation_key']
in wp_insert_user()
get's cleared when the $user_email !== $old_user_data->user_email
comparison fails.
This is because $old_user_data
is the "clean" data from the database, however wp_update_user()
calls add_magic_quotes()
on the user data it passes, causing apostrophes in email addresses to be slashed.
Process fails silently as there is no error when $data['user_activation_key']
is cleared in this flow, even though it is required for the forgot password system to function.
To replicate - register a user with an apostrophe in their email, use the lost password system from wp-login.php. An email will be sent/received, but the reset link is deemed invalid as there is no user_activation_key
in the db.
Patch (about to be) attached to slash email only in $old_user_data. While this fixes the bug, it does raise the question of whether get_password_reset_key()
should validate that the key is created directly as wp_update_user()
errors don't give the granularity to tell us.