WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Users: Avoid ambiguous password reset URLs for usernames ending in a period. 

When WordPress sends out a password-reset or new-user email, it generates
a link for someone to follow in order to take them to the reset page. If
the user login name ends in a period, however, that generated URL will
end in a period and many email clients will confuse it with a
sentence-ending period instead of being part of the query arguments.

In this patch, the generated URL's query argument are rearranged so that
the link will never end in a period. Alternative ideas were explored to
create a new function to escape URL-ending periods, but this patch resolves
the reported problem without raising any further architectural questions.

Developed in https://github.com/WordPress/wordpress-develop/pull/6834
Discussed in https://core.trac.wordpress.org/ticket/42957

Props audrasjb, costdev, daveagp, dmsnell, hellofromTonya, markparnell, mukesh27, nhrrob, obrienlabs, paulcline.
Fixes #42957.

Built from https://develop.svn.wordpress.org/trunk@58674


git-svn-id: http://core.svn.wordpress.org/trunk@58076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
dmsnell 2024-07-04 22:01:22 +00:00
parent 99c9e42672
commit 8269c3fcd6
3 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
wp-includes/pluggable.php
View File

@ -2224,7 +2224,15 @@ if ( ! function_exists( 'wp_new_user_notification' ) ) :
/* translators: %s: User login. */
$message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
$message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n";
$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n";
/*
* Since some user login names end in a period, this could produce ambiguous URLs that
* end in a period. To avoid the ambiguity, ensure that the login is not the last query
* arg in the URL. If moving it to the end, a trailing period will need to be escaped.
*
* @see https://core.trac.wordpress.org/tickets/42957
*/
$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n";
$message .= wp_login_url() . "\r\n";

10
wp-includes/user.php
View File

@ -3219,7 +3219,15 @@ function retrieve_password( $user_login = null ) {
$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
$message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n";
$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
/*
* Since some user login names end in a period, this could produce ambiguous URLs that
* end in a period. To avoid the ambiguity, ensure that the login is not the last query
* arg in the URL. If moving it to the end, a trailing period will need to be escaped.
*
* @see https://core.trac.wordpress.org/tickets/42957
*/
$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
if ( ! is_user_logged_in() ) {
$requester_ip = $_SERVER['REMOTE_ADDR'];

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.7-alpha-58673';
$wp_version = '6.7-alpha-58674';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.