Opened 4 years ago
Last modified 3 years ago
#53348 reviewing defect (bug)
No form to log in when visiting wp-login.php with a given query string
Reported by: | henry.wright | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | has-patch needs-unit-tests early |
Focuses: | Cc: |
Description
When I visit the wp-login.php page with specific query strings, I get a blank page. I don't get a form to log in.
The query strings that cause the blank page are
- wp-login.php?action=checkemail
- wp-login.php?checkemail=foo
- wp-login.php?checkemail=bar
- wp-login.php?checkemail=baz
- Note though, wp-login.php?checkemail=confirm does give me a form
Attachments (1)
Change History (16)
#2
@
4 years ago
Further, when I visit wp-login.php?action=checkemail, I get 2 PHP debug notices
Notice : Undefined index: checkemail in /var/www/html/wp-login.php on line 1143
Notice : Undefined index: checkemail in /var/www/html/wp-login.php on line 1153
#3
@
4 years ago
In summary
I did some testing on a fresh local install using both action
and checkemail
attributes in the wp-login.php query string.
For the action
attribute, the postpass
and checkemail
values result in blank pages:
- wp-login.php?action=postpass
- wp-login.php?action=checkemail
When the value is checkemail
, I get 2 debug notices related to a undefined indexes in wp-login.php
Undefined index: checkemail in /var/www/html/wp-login.php
For the checkemail
attribute, every value aside from confirm
and registered
results in blank pages:
- wp-login.php?checkemail=foo
- wp-login.php?checkemail=bar
This ticket was mentioned in PR #1339 on WordPress/wordpress-develop by davidkryzaniak.
4 years ago
#4
- Keywords has-patch added
Added else to wp-login.php. This is just in case $_GET['checkemail']
is set to something we were not expecting.
Trac ticket: https://core.trac.wordpress.org/ticket/53348
#5
@
4 years ago
Thanks for the patch @davidkryzaniak. The else
statement does provide a solution to the blank page. However, the 2 debug notices aren't fixed by the patch
henrywright commented on PR #1339:
4 years ago
#6
#7
@
4 years ago
Something like this is also necessary to fix the debug notices
if ( isset( $_GET['checkemail'] ) && 'confirm' === $_GET['checkemail'] ) { // ... } elseif ( isset( $_GET['checkemail'] ) && 'registered' === $_GET['checkemail'] ) { // ... } else { // ... }
#8
@
4 years ago
- Milestone changed from Awaiting Review to 5.9
- Owner set to SergeyBiryukov
- Status changed from new to reviewing
#9
@
4 years ago
Thinking about the solution for this. Although the patch solves the problem, displaying an error when an invalid query string is supplied isn't consistent with existing behaviour.
Currently when there is an invalid query such as action=abcdef, the login form is displayed. Login form display seems to be the default or "fallback"
#10
@
4 years ago
53348.diff is a solution which uses the login form as the default case when the query string isn't "valid"
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
3 years ago
#13
@
3 years ago
- Keywords needs-testing added
- Milestone changed from 5.9 to 6.0
As per today's bug scrub, let's move this ticket for 6.0 consideration to ensure it's properly tested. Some testing info are already available above in this ticket.
This ticket was mentioned in Slack in #core by mike. View the logs.
3 years ago
#15
@
3 years ago
- Keywords needs-unit-tests early added; needs-testing removed
- Milestone changed from 6.0 to Future Release
Test Report
Environment
- Server: Apache (Linux)
- WordPress: 6.0-alpha-52448-src
- Browser: Chrome 100.0.4896.75
- OS: Windows 10
- Theme: Twenty Twenty
- Plugins: None activated
Steps
- Navigate to
wp-login.php?checkemail=foo
. Notice that there is no login form. ✅ - Apply 53348.diff. Notice that the login form appears. ✅
Results
- 53348.diff successfully resolves the issue.
Notes
- This would benefit from unit tests that set the
$_GET['checkemail']
value and testdid_action( 'login_init' )
, for example. Addingneeds-unit-tests
. - Per the discussion in the bug scrub, moving this to Future Release as it was felt that it's too late in the 6.0 cycle to touch the login form and marking as
early
.
Actually, wp-login.php?checkemail=confirm doesn't give me a form like I said in this ticket description. It gives me a message to check my email for a password reset link. This is expected behaviour