Skip to content

Commit

Permalink
Users: Avoid ambiguous password reset URLs for usernames ending in a …
Browse files Browse the repository at this point in the history
…period.

When WordPress sends out a password-reset or new-user email, it generates
a link for someone to follow in order to take them to the reset page. If
the user login name ends in a period, however, that generated URL will
end in a period and many email clients will confuse it with a
sentence-ending period instead of being part of the query arguments.

In this patch, the generated URL's query argument are rearranged so that
the link will never end in a period. Alternative ideas were explored to
create a new function to escape URL-ending periods, but this patch resolves
the reported problem without raising any further architectural questions.

Developed in WordPress/wordpress-develop#6834
Discussed in https://core.trac.wordpress.org/ticket/42957

Props audrasjb, costdev, daveagp, dmsnell, hellofromTonya, markparnell, mukesh27, nhrrob, obrienlabs, paulcline.
Fixes #42957.

Built from https://develop.svn.wordpress.org/trunk@58674


git-svn-id: http://core.svn.wordpress.org/trunk@58076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information
dmsnell committed Jul 4, 2024
1 parent 99c9e42 commit 8269c3f
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 3 deletions.
10 changes: 9 additions & 1 deletion wp-includes/pluggable.php
Original file line number Diff line number Diff line change
Expand Up @@ -2224,7 +2224,15 @@ function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' )
/* translators: %s: User login. */
$message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
$message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n";
$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n";

/*
* Since some user login names end in a period, this could produce ambiguous URLs that
* end in a period. To avoid the ambiguity, ensure that the login is not the last query
* arg in the URL. If moving it to the end, a trailing period will need to be escaped.
*
* @see https://core.trac.wordpress.org/tickets/42957
*/
$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n";

$message .= wp_login_url() . "\r\n";

Expand Down
10 changes: 9 additions & 1 deletion wp-includes/user.php
Original file line number Diff line number Diff line change
Expand Up @@ -3219,7 +3219,15 @@ function retrieve_password( $user_login = null ) {
$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
$message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n";
$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";

/*
* Since some user login names end in a period, this could produce ambiguous URLs that
* end in a period. To avoid the ambiguity, ensure that the login is not the last query
* arg in the URL. If moving it to the end, a trailing period will need to be escaped.
*
* @see https://core.trac.wordpress.org/tickets/42957
*/
$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";

if ( ! is_user_logged_in() ) {
$requester_ip = $_SERVER['REMOTE_ADDR'];
Expand Down
2 changes: 1 addition & 1 deletion wp-includes/version.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.7-alpha-58673';
$wp_version = '6.7-alpha-58674';

/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
Expand Down

0 comments on commit 8269c3f

Please sign in to comment.