Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 14 months ago

#53699 closed defect (bug) (duplicate)

Attempting to reset an email which contains an apostrophe causes an invalid key error

Reported by: brightminded's profile brightminded Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.2
Component: Users Keywords:
Focuses: Cc:

Description

This appears to be because when get_password_reset_key is called for a user with an apostrophe in their email, the new user_activation_key that is generated is not properly saved to the database.
This seems to be caused by this if statement in wp_insert_user on line 2018 of wp-includes/user.php:

if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
        $data['user_activation_key'] = '';
}

At two points before this user email is sanitized so that apostrophes are escaped causing the apostrophe to be preceded by a backslash,
whereas $old_user_data->user_email is not, thus the check fails and the new user_activation_key saved by get_password_reset_key is blank, causing the next call of check_password_reset key to return an invalid key error.

e.g. If trying to reset the password for an account who's email was "123'abc@…", $user_email would contain "123\'abc@…", and $old_user_data->user_email would contain "123'abc@…".

The email address gets escaped at the following two lines (also in wp-includes/user.php) before that if statement in wp_insert_user:
2167: $user = add_magic_quotes( $user );
1855: $user_email = apply_filters( 'pre_user_email', $raw_user_email );

Change History (3)

#1 @sabernhardt
3 years ago

  • Component changed from General to Users

#2 @desrosj
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version changed from 5.7.2 to 2.2

Thanks for this ticket, @brightminded. And welcome to Trac!

This seems like a duplicate of #52529. Going to close out as such.

#3 @kebbet
14 months ago

#58003 was marked as a duplicate.

Note: See TracTickets for help on using tickets.