Users: Avoid ambiguous password reset URLs for usernames ending in a …

…period. When WordPress sends out a password-reset or new-user email, it generates a link for someone to follow in order to take them to the reset page. If the user login name ends in a period, however, that generated URL will end in a period and many email clients will confuse it with a sentence-ending period instead of being part of the query arguments. In this patch, the generated URL's query argument are rearranged so that the link will never end in a period. Alternative ideas were explored to create a new function to escape URL-ending periods, but this patch resolves the reported problem without raising any further architectural questions. Developed in #6834 Discussed in https://core.trac.wordpress.org/ticket/42957 Props audrasjb, costdev, daveagp, dmsnell, hellofromTonya, markparnell, mukesh27, nhrrob, obrienlabs, paulcline. Fixes #42957. git-svn-id: https://develop.svn.wordpress.org/trunk@58674 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Jul 4, 2024 · 82deed3 · 82deed3
1 parent 70bad67
commit 82deed3
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
@@ -2224,7 +2224,15 @@ function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' )
 		/* translators: %s: User login. */
 		$message  = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
 		$message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n";
-		$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n";
+
+		/*
+		 * Since some user login names end in a period, this could produce ambiguous URLs that
+		 * end in a period. To avoid the ambiguity, ensure that the login is not the last query
+		 * arg in the URL. If moving it to the end, a trailing period will need to be escaped.
+		 *
+		 * @see https://core.trac.wordpress.org/tickets/42957
+		 */
+		$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n";
 
 		$message .= wp_login_url() . "\r\n";
 

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
@@ -3219,7 +3219,15 @@ function retrieve_password( $user_login = null ) {
 	$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
 	$message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n";
 	$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
-	$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
+
+	/*
+	 * Since some user login names end in a period, this could produce ambiguous URLs that
+	 * end in a period. To avoid the ambiguity, ensure that the login is not the last query
+	 * arg in the URL. If moving it to the end, a trailing period will need to be escaped.
+	 *
+	 * @see https://core.trac.wordpress.org/tickets/42957
+	 */
+	$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
 
 	if ( ! is_user_logged_in() ) {
 		$requester_ip = $_SERVER['REMOTE_ADDR'];