diff --git a/wp-login.php b/wp-login.php index 7bb53343d1..0197167f65 100644 --- a/wp-login.php +++ b/wp-login.php @@ -562,10 +562,25 @@ break; case 'resetpass' : case 'rp' : - $user = check_password_reset_key($_GET['key'], $_GET['login']); + list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) ); + $rp_cookie = 'wp-resetpass-' . COOKIEHASH; + if ( isset( $_GET['key'] ) ) { + $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) ); + setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); + wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) ); + exit; + } - if ( is_wp_error($user) ) { - if ( $user->get_error_code() === 'expired_key' ) + if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) { + list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 ); + $user = check_password_reset_key( $rp_key, $rp_login ); + } else { + $user = false; + } + + if ( ! $user || is_wp_error( $user ) ) { + setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); + if ( $user && $user->get_error_code() === 'expired_key' ) wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) ); else wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) ); @@ -589,6 +604,7 @@ case 'rp' : if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) { reset_password($user, $_POST['pass1']); + setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); login_header( __( 'Password Reset' ), '
' ); login_footer(); exit; @@ -600,8 +616,8 @@ case 'rp' : login_header(__('Reset Password'), ' ', $errors ); ?> -