diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 04a4ef8b55..0e9e0d4579 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -2224,7 +2224,15 @@ if ( ! function_exists( 'wp_new_user_notification' ) ) : /* translators: %s: User login. */ $message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n"; $message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n"; - $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n"; + + /* + * Since some user login names end in a period, this could produce ambiguous URLs that + * end in a period. To avoid the ambiguity, ensure that the login is not the last query + * arg in the URL. If moving it to the end, a trailing period will need to be escaped. + * + * @see https://core.trac.wordpress.org/tickets/42957 + */ + $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n"; $message .= wp_login_url() . "\r\n"; diff --git a/wp-includes/user.php b/wp-includes/user.php index 38ff198286..5a05fff2f4 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -3219,7 +3219,15 @@ function retrieve_password( $user_login = null ) { $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n"; $message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n"; $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n"; - $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n"; + + /* + * Since some user login names end in a period, this could produce ambiguous URLs that + * end in a period. To avoid the ambiguity, ensure that the login is not the last query + * arg in the URL. If moving it to the end, a trailing period will need to be escaped. + * + * @see https://core.trac.wordpress.org/tickets/42957 + */ + $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n"; if ( ! is_user_logged_in() ) { $requester_ip = $_SERVER['REMOTE_ADDR']; diff --git a/wp-includes/version.php b/wp-includes/version.php index 1db4f12258..3acd190779 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.7-alpha-58673'; +$wp_version = '6.7-alpha-58674'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.