mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-23 01:27:36 +01:00
Users: Avoid ambiguous password reset URLs for usernames ending in a period.
When WordPress sends out a password-reset or new-user email, it generates a link for someone to follow in order to take them to the reset page. If the user login name ends in a period, however, that generated URL will end in a period and many email clients will confuse it with a sentence-ending period instead of being part of the query arguments. In this patch, the generated URL's query argument are rearranged so that the link will never end in a period. Alternative ideas were explored to create a new function to escape URL-ending periods, but this patch resolves the reported problem without raising any further architectural questions. Developed in https://github.com/WordPress/wordpress-develop/pull/6834 Discussed in https://core.trac.wordpress.org/ticket/42957 Props audrasjb, costdev, daveagp, dmsnell, hellofromTonya, markparnell, mukesh27, nhrrob, obrienlabs, paulcline. Fixes #42957. Built from https://develop.svn.wordpress.org/trunk@58674 git-svn-id: http://core.svn.wordpress.org/trunk@58076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
99c9e42672
commit
8269c3fcd6
@ -2224,7 +2224,15 @@ if ( ! function_exists( 'wp_new_user_notification' ) ) :
|
||||
/* translators: %s: User login. */
|
||||
$message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
|
||||
$message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n";
|
||||
$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n";
|
||||
|
||||
/*
|
||||
* Since some user login names end in a period, this could produce ambiguous URLs that
|
||||
* end in a period. To avoid the ambiguity, ensure that the login is not the last query
|
||||
* arg in the URL. If moving it to the end, a trailing period will need to be escaped.
|
||||
*
|
||||
* @see https://core.trac.wordpress.org/tickets/42957
|
||||
*/
|
||||
$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n";
|
||||
|
||||
$message .= wp_login_url() . "\r\n";
|
||||
|
||||
|
@ -3219,7 +3219,15 @@ function retrieve_password( $user_login = null ) {
|
||||
$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
|
||||
$message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n";
|
||||
$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
|
||||
$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
|
||||
|
||||
/*
|
||||
* Since some user login names end in a period, this could produce ambiguous URLs that
|
||||
* end in a period. To avoid the ambiguity, ensure that the login is not the last query
|
||||
* arg in the URL. If moving it to the end, a trailing period will need to be escaped.
|
||||
*
|
||||
* @see https://core.trac.wordpress.org/tickets/42957
|
||||
*/
|
||||
$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
|
||||
|
||||
if ( ! is_user_logged_in() ) {
|
||||
$requester_ip = $_SERVER['REMOTE_ADDR'];
|
||||
|
@ -16,7 +16,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '6.7-alpha-58673';
|
||||
$wp_version = '6.7-alpha-58674';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
Loading…
Reference in New Issue
Block a user