mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-23 09:37:42 +01:00
Send emails when a user's email address or password is changed.
* In case of email change, email goes to the OLD address * Prevents against issues where an account is compromised (say via cookie interception) and then the attacker silently takes over ownership via pw/email changes — now there will at least be a record that something is up fixes #32430 props RMarks, MikeHansenMe, tharsheblows, obenland Built from https://develop.svn.wordpress.org/trunk@32820 git-svn-id: http://core.svn.wordpress.org/trunk@32791 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
f62bf61b2c
commit
814865ea9e
@ -2140,17 +2140,159 @@ function wp_update_user($userdata) {
|
||||
// Escape data pulled from DB.
|
||||
$user = add_magic_quotes( $user );
|
||||
|
||||
// If password is changing, hash it now.
|
||||
if ( ! empty($userdata['user_pass']) ) {
|
||||
// If password is changing, hash it now
|
||||
$plaintext_pass = $userdata['user_pass'];
|
||||
$userdata['user_pass'] = wp_hash_password($userdata['user_pass']);
|
||||
$userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
|
||||
/**
|
||||
* Filter to stop the sending of the password change email.
|
||||
*
|
||||
* @since 4.3
|
||||
* @see wp_insert_user() For $user and $userdata fields.
|
||||
*
|
||||
* @param bool Return false to not send the email.
|
||||
* @param array $user The original user array.
|
||||
* @param array $userdata The updated user array.
|
||||
*
|
||||
*/
|
||||
$send_pass_change_email = apply_filters( 'send_pass_change_email', true, $user, $userdata );
|
||||
}
|
||||
|
||||
wp_cache_delete($user[ 'user_email' ], 'useremail');
|
||||
if ( $user['user_email'] !== $userdata['user_email'] ) {
|
||||
/**
|
||||
* Filter to stop the sending of the email change email.
|
||||
*
|
||||
* @since 4.3
|
||||
* @see wp_insert_user() For $user and $userdata fields.
|
||||
*
|
||||
* @param bool Return false to not send the email.
|
||||
* @param array $user The original user array.
|
||||
* @param array $userdata The updated user array.
|
||||
*
|
||||
*/
|
||||
$send_email_change_email = apply_filters( 'send_email_change_email', true, $user, $userdata );
|
||||
}
|
||||
|
||||
wp_cache_delete( $user['user_email'], 'useremail' );
|
||||
|
||||
// Merge old and new fields with new fields overwriting old ones.
|
||||
$userdata = array_merge($user, $userdata);
|
||||
$user_id = wp_insert_user($userdata);
|
||||
$userdata = array_merge( $user, $userdata );
|
||||
$user_id = wp_insert_user( $userdata );
|
||||
|
||||
if ( ! is_wp_error( $user_id ) ) {
|
||||
|
||||
$blog_name = wp_specialchars_decode( get_option( 'blogname' ) );
|
||||
|
||||
if ( ! empty( $send_pass_change_email ) ) {
|
||||
|
||||
/* translators: Do not translate USERNAME, ADMIN_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */
|
||||
$pass_change_text = __( 'Hi ###USERNAME###,
|
||||
|
||||
This notice confirms that your password was changed on ###SITENAME###.
|
||||
|
||||
If you did not change your password, please contact the Site Administrator at
|
||||
###ADMIN_EMAIL###
|
||||
|
||||
This email has been sent to ###EMAIL###
|
||||
|
||||
Regards,
|
||||
All at ###SITENAME###
|
||||
###SITEURL###' );
|
||||
|
||||
$pass_change_email = array(
|
||||
'to' => $user['user_email'],
|
||||
'subject' => __( '[%s] Notice of Password Change' ),
|
||||
'message' => $pass_change_text,
|
||||
'headers' => '',
|
||||
);
|
||||
|
||||
/**
|
||||
* Filter the email sent when the user's password is changed.
|
||||
*
|
||||
* @since 4.3
|
||||
*
|
||||
* @param array $pass_change_email {
|
||||
* Used to build wp_mail(). https://developer.wordpress.org/reference/functions/wp_mail/
|
||||
* @type string $to The intended recipients. Add emails in a comma separated string.
|
||||
* @type string $subject The subject of the email.
|
||||
* @type string $message The content of the email.
|
||||
* The following strings have a special meaning and will get replaced dynamically:
|
||||
* ###USERNAME### The current user's username.
|
||||
* ###ADMIN_EMAIL### The admin email in case this was unexpected.
|
||||
* ###EMAIL### The old email.
|
||||
* ###SITENAME### The name of the site.
|
||||
* ###SITEURL### The URL to the site.
|
||||
* @type string $headers Headers. Add headers in a newline (\r\n) separated string.
|
||||
* }
|
||||
* @param array $user The original user array.
|
||||
* @param array $userdata The updated user array.
|
||||
*
|
||||
*/
|
||||
$pass_change_email = apply_filters( 'password_change_email', $pass_change_email, $user, $userdata );
|
||||
|
||||
$pass_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $pass_change_email['message'] );
|
||||
$pass_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $pass_change_email['message'] );
|
||||
$pass_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $pass_change_email['message'] );
|
||||
$pass_change_email['message'] = str_replace( '###SITENAME###', get_option( 'blogname' ), $pass_change_email['message'] );
|
||||
$pass_change_email['message'] = str_replace( '###SITEURL###', get_option( 'siteurl' ), $pass_change_email['message'] );
|
||||
|
||||
wp_mail( $pass_change_email['to'], sprintf( $pass_change_email['subject'], $blog_name ), $pass_change_email['message'], $pass_change_email['headers'] );
|
||||
}
|
||||
|
||||
if ( ! empty( $send_email_change_email ) ) {
|
||||
/* translators: Do not translate USERNAME, ADMIN_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */
|
||||
$email_change_text = __( 'Hi ###USERNAME###,
|
||||
|
||||
This notice confirms that your email was changed on ###SITENAME###.
|
||||
|
||||
If you did not change your email, please contact the Site Administrator at
|
||||
###ADMIN_EMAIL###
|
||||
|
||||
This email has been sent to ###EMAIL###
|
||||
|
||||
Regards,
|
||||
All at ###SITENAME###
|
||||
###SITEURL###' );
|
||||
|
||||
$email_change_email = array(
|
||||
'to' => $user['user_email'],
|
||||
'subject' => __( '[%s] Notice of Email Change' ),
|
||||
'message' => $email_change_text,
|
||||
'headers' => '',
|
||||
);
|
||||
|
||||
/**
|
||||
* Filter the email sent when the user's password is changed.
|
||||
*
|
||||
* @since 4.3
|
||||
*
|
||||
* @param array $email_change_email {
|
||||
* Used to build wp_mail(). https://developer.wordpress.org/reference/functions/wp_mail/
|
||||
* @type string $to The intended recipients.
|
||||
* @type string $subject The subject of the email.
|
||||
* @type string $message The content of the email.
|
||||
* The following strings have a special meaning and will get replaced dynamically:
|
||||
* ###USERNAME### The current user's username.
|
||||
* ###ADMIN_EMAIL### The admin email in case this was unexpected.
|
||||
* ###EMAIL### The old email.
|
||||
* ###SITENAME### The name of the site.
|
||||
* ###SITEURL### The URL to the site.
|
||||
* @type string $headers Headers.
|
||||
* }
|
||||
* @param array $user The original user array.
|
||||
* @param array $userdata The updated user array.
|
||||
*/
|
||||
$email_change_email = apply_filters( 'email_change_email', $email_change_email, $user, $userdata );
|
||||
|
||||
$email_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $email_change_email['message'] );
|
||||
$email_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $email_change_email['message'] );
|
||||
$email_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $email_change_email['message'] );
|
||||
$email_change_email['message'] = str_replace( '###SITENAME###', get_option( 'blogname' ), $email_change_email['message'] );
|
||||
$email_change_email['message'] = str_replace( '###SITEURL###', get_option( 'siteurl' ), $email_change_email['message'] );
|
||||
|
||||
wp_mail( $email_change_email['to'], sprintf( $email_change_email['subject'], $blog_name ), $email_change_email['message'], $email_change_email['headers'] );
|
||||
}
|
||||
}
|
||||
|
||||
// Update the cookies if the password changed.
|
||||
$current_user = wp_get_current_user();
|
||||
|
@ -4,7 +4,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.3-alpha-32819';
|
||||
$wp_version = '4.3-alpha-32820';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
Loading…
Reference in New Issue
Block a user