From b271e36f4787d343d35138baa09d39ae47a277ad Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Thu, 20 Nov 2014 12:22:22 +0000
Subject: [PATCH] Form validation for password resets.

Built from https://develop.svn.wordpress.org/trunk@30417


git-svn-id: http://core.svn.wordpress.org/trunk@30412 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/version.php | 2 +-
 wp-login.php            | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/wp-includes/version.php b/wp-includes/version.php
index 56552b730c..af1302a853 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.1-beta1-30412';
+$wp_version = '4.1-beta1-30417';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-login.php b/wp-login.php
index ffd50e68ea..7ed69bc74d 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -576,6 +576,9 @@ case 'rp' :
 	if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
 		list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
 		$user = check_password_reset_key( $rp_key, $rp_login );
+		if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
+			$user = false;
+		}
 	} else {
 		$user = false;
 	}
@@ -644,6 +647,7 @@ case 'rp' :
 	 */
 	do_action( 'resetpass_form', $user );
 	?>
+	<input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
 	<p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p>
 </form>