WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 4 months ago

#53348 reviewing defect (bug)

No form to log in when visiting wp-login.php with a given query string

Reported by: henry.wright Owned by: SergeyBiryukov
Milestone: 5.9 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: has-patch
Focuses: Cc:

Description

When I visit the wp-login.php page with specific query strings, I get a blank page. I don't get a form to log in.

The query strings that cause the blank page are

  • wp-login.php?action=checkemail
  • wp-login.php?checkemail=foo
  • wp-login.php?checkemail=bar
  • wp-login.php?checkemail=baz
  • Note though, wp-login.php?checkemail=confirm does give me a form

Attachments (1)

53348.diff (645 bytes) - added by henry.wright 4 months ago.

Download all attachments as: .zip

Change History (12)

#1 @henry.wright
4 months ago

Actually, wp-login.php?checkemail=confirm doesn't give me a form like I said in this ticket description. It gives me a message to check my email for a password reset link. This is expected behaviour

#2 @henry.wright
4 months ago

Further, when I visit wp-login.php?action=checkemail, I get 2 PHP debug notices

Notice
: Undefined index: checkemail in
/var/www/html/wp-login.php
on line
1143
Notice
: Undefined index: checkemail in
/var/www/html/wp-login.php
on line
1153

#3 @henry.wright
4 months ago

In summary

I did some testing on a fresh local install using both action and checkemail attributes in the wp-login.php query string.

For the action attribute, the postpass and checkemail values result in blank pages:

  • wp-login.php?action=postpass
  • wp-login.php?action=checkemail

When the value is checkemail, I get 2 debug notices related to a undefined indexes in wp-login.php

Undefined index: checkemail in /var/www/html/wp-login.php

For the checkemail attribute, every value aside from confirm and registered results in blank pages:

  • wp-login.php?checkemail=foo
  • wp-login.php?checkemail=bar

This ticket was mentioned in PR #1339 on WordPress/wordpress-develop by davidkryzaniak.


4 months ago

  • Keywords has-patch added

Added else to wp-login.php. This is just in case $_GET['checkemail'] is set to something we were not expecting.

Trac ticket: https://core.trac.wordpress.org/ticket/53348

#5 @henry.wright
4 months ago

Thanks for the patch @davidkryzaniak. The else statement does provide a solution to the blank page. However, the 2 debug notices aren't fixed by the patch

#7 @henry.wright
4 months ago

Something like this is also necessary to fix the debug notices

if ( isset( $_GET['checkemail'] ) && 'confirm' === $_GET['checkemail'] ) {
    // ...
} elseif ( isset( $_GET['checkemail'] ) && 'registered' === $_GET['checkemail'] ) {
    // ...
} else {
    // ...
}

#8 @SergeyBiryukov
4 months ago

  • Milestone changed from Awaiting Review to 5.9
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#9 @henry.wright
4 months ago

Thinking about the solution for this. Although the patch solves the problem, displaying an error when an invalid query string is supplied isn't consistent with existing behaviour.

Currently when there is an invalid query such as action=abcdef, the login form is displayed. Login form display seems to be the default or "fallback"

@henry.wright
4 months ago

#10 @henry.wright
4 months ago

53348.diff is a solution which uses the login form as the default case when the query string isn't "valid"

Note: See TracTickets for help on using tickets.