#53699 closed defect (bug) (duplicate)
Attempting to reset an email which contains an apostrophe causes an invalid key error
Reported by: | brightminded | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.2 |
Component: | Users | Keywords: | |
Focuses: | Cc: |
Description
This appears to be because when get_password_reset_key is called for a user with an apostrophe in their email, the new user_activation_key that is generated is not properly saved to the database.
This seems to be caused by this if statement in wp_insert_user on line 2018 of wp-includes/user.php:
if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
$data['user_activation_key'] = '';
}
At two points before this user email is sanitized so that apostrophes are escaped causing the apostrophe to be preceded by a backslash,
whereas $old_user_data->user_email is not, thus the check fails and the new user_activation_key saved by get_password_reset_key is blank, causing the next call of check_password_reset key to return an invalid key error.
e.g. If trying to reset the password for an account who's email was "123'abc@…", $user_email would contain "123\'abc@…", and $old_user_data->user_email would contain "123'abc@…".
The email address gets escaped at the following two lines (also in wp-includes/user.php) before that if statement in wp_insert_user:
2167: $user = add_magic_quotes( $user );
1855: $user_email = apply_filters( 'pre_user_email', $raw_user_email );
Thanks for this ticket, @brightminded. And welcome to Trac!
This seems like a duplicate of #52529. Going to close out as such.