<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[42964] trunk/src: Privacy: fixes and updates for the method to confirm user requests by email.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/42964">42964</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/42964","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>azaozz</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2018-04-06 19:09:53 +0000 (Fri, 06 Apr 2018)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Privacy: fixes and updates for the method to confirm user requests by email.
- Improve function and variable names.
- Allow extra data to be passed with the request.
- Make the option/user meta names more consistent.
- Adds an inline comment explaining use of hash.
Props mikejolley.
See <a href="https://core.trac.wordpress.org/ticket/43443">#43443</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesuserphp">trunk/src/wp-includes/user.php</a></li>
<li><a href="#trunksrcwploginphp">trunk/src/wp-login.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesuserphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/user.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/user.php 2018-04-06 07:46:14 UTC (rev 42963)
+++ trunk/src/wp-includes/user.php 2018-04-06 19:09:53 UTC (rev 42964)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2815,20 +2815,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.0.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $action_name Name of the action that is being confirmed.
- * @param string $action_description User facing description of the action they will be confirming.
- * @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address.
- *
- * @return WP_ERROR|bool Will return true/false based on the success of sending the email, or a WP_Error object.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address.
+ * @param string $action_name Name of the action that is being confirmed. Defaults to 'confirm_email'.
+ * @param string $action_description User facing description of the action they will be confirming. Defaults to "confirm your email address".
+ * @param array $request_data Misc data you want to send with the verification request and pass to the actions once the request is confirmed.
+ * @return WP_Error|bool Will return true/false based on the success of sending the email, or a WP_Error object.
</ins><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function send_confirm_account_action_email( $action_name, $action_description = '', $email = '' ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function wp_send_account_verification_key( $email = '', $action_name = '', $action_description = '', $request_data = array() ) {
+ if ( ! function_exists( 'wp_get_current_user' ) ) {
+ return new WP_Error( 'invalid', __( 'This function cannot be used before init.' ) );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $action_name = sanitize_key( $action_name );
</span><span class="cx" style="display: block; padding: 0 10px"> $action_description = wp_kses_post( $action_description );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( empty( $action_name ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return new WP_Error( 'invalid_action', __( 'Invalid action' ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $action_name = 'confirm_email';
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( empty( $action_description ) ) {
+ $action_description = __( 'Confirm your email address.' );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( empty( $email ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $user = wp_get_current_user();
</span><span class="cx" style="display: block; padding: 0 10px"> $email = $user->ID ? $user->user_email : '';
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2846,30 +2854,31 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $user = get_user_by( 'email', $email );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // We could be dealing with a registered user account, or a visitor.
- $is_registered_user = $user && ! is_wp_error( $user );
- $uid = $is_registered_user ? $user->ID : hash( 'sha256', $email );
- $confirm_key = get_confirm_account_action_key( $action_name, $email );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $confirm_key = wp_get_account_verification_key( $email, $action_name, $request_data );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( is_wp_error( $confirm_key ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return $confirm_key;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Prepare the email content.
- if ( ! $action_description ) {
- $action_description = $action_name;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // We could be dealing with a registered user account, or a visitor.
+ $is_registered_user = $user && ! is_wp_error( $user );
+
+ if ( $is_registered_user ) {
+ $uid = $user->ID;
+ } else {
+ // Generate a UID for this email address so we don't send the actual email in the query string. Hash is not supported on all systems.
+ $uid = function_exists( 'hash' ) ? hash( 'sha256', $email ) : sha1( $email );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: Do not translate DESCRIPTION, CONFIRM_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
</span><span class="cx" style="display: block; padding: 0 10px"> $email_text = __(
</span><span class="cx" style="display: block; padding: 0 10px"> 'Howdy,
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-An account linked to your email address has requested to perform
-the following action:
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+A request has been made to perform the following action on your account:
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> ###DESCRIPTION###
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-To confirm this action, please click on the following link:
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+To confirm this, please click on the following link:
</ins><span class="cx" style="display: block; padding: 0 10px"> ###CONFIRM_URL###
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> You can safely ignore and delete this email if you do not want to
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2887,7 +2896,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 'email' => $email,
</span><span class="cx" style="display: block; padding: 0 10px"> 'description' => $action_description,
</span><span class="cx" style="display: block; padding: 0 10px"> 'confirm_url' => add_query_arg( array(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- 'action' => 'emailconfirm',
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ 'action' => 'verifyaccount',
</ins><span class="cx" style="display: block; padding: 0 10px"> 'confirm_action' => $action_name,
</span><span class="cx" style="display: block; padding: 0 10px"> 'uid' => $uid,
</span><span class="cx" style="display: block; padding: 0 10px"> 'confirm_key' => $confirm_key,
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2907,6 +2916,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * ###SITENAME### The name of the site.
</span><span class="cx" style="display: block; padding: 0 10px"> * ###SITEURL### The URL to the site.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @since 5.0.0
+ *
</ins><span class="cx" style="display: block; padding: 0 10px"> * @param string $email_text Text in the email.
</span><span class="cx" style="display: block; padding: 0 10px"> * @param array $email_data {
</span><span class="cx" style="display: block; padding: 0 10px"> * Data relating to the account action email.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2919,7 +2930,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @type string $siteurl The site URL sending the mail.
</span><span class="cx" style="display: block; padding: 0 10px"> * }
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $content = apply_filters( 'confirm_account_action_email_content', $email_text, $email_data );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $content = apply_filters( 'account_verification_email_content', $email_text, $email_data );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
</span><span class="cx" style="display: block; padding: 0 10px"> $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2928,7 +2939,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: %s Site name. */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Account Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2936,12 +2947,12 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.0.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $action_name Name of the action this key is being generated for.
- * @param string $email User email address. This can be the address of a registered or non-registered user.
- *
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $email User email address. This can be the address of a registered or non-registered user.
+ * @param string $action_name Name of the action this key is being generated for.
+ * @param array $request_data Misc data you want to send with the verification request and pass to the actions once the request is confirmed.
</ins><span class="cx" style="display: block; padding: 0 10px"> * @return string|WP_Error Confirmation key on success. WP_Error on error.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function get_confirm_account_action_key( $action_name, $email ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function wp_get_account_verification_key( $email, $action_name, $request_data = array() ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> global $wp_hasher;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! is_email( $email ) ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2967,15 +2978,23 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $hashed_key = $wp_hasher->HashPassword( $key );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $value = array(
+ 'action' => $action_name,
+ 'time' => time(),
+ 'hash' => $hashed_key,
+ 'email' => $email,
+ 'request_data' => $request_data,
+ );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $is_registered_user ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $key_saved = (bool) update_user_meta( $user->ID, '_account_action_' . $action_name, implode( ':', array( time(), $hashed_key ) ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $key_saved = (bool) update_user_meta( $user->ID, '_verify_action_' . $action_name, wp_json_encode( $value ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $key_saved = (bool) update_site_option( '_account_action_' . hash( 'sha256', $email ) . '_' . $action_name, implode( ':', array( time(), $hashed_key, $email ) ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $uid = function_exists( 'hash' ) ? hash( 'sha256', $email ) : sha1( $email );
+ $key_saved = (bool) update_site_option( '_verify_action_' . $action_name . '_' . $uid, wp_json_encode( $value ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( false === $key_saved ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return new WP_Error( 'no_confirm_account_action_key_update', __( 'Could not save confirm account action key to database.' ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ return new WP_Error( 'no_account_verification_key_update', __( 'Could not save confirm account action key to database.' ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> return $key;
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2986,81 +3005,95 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.0.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $action_name Name of the action this key is being generated for.
</del><span class="cx" style="display: block; padding: 0 10px"> * @param string $key Key to confirm.
</span><span class="cx" style="display: block; padding: 0 10px"> * @param string $uid Email hash or user ID.
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- *
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $action_name Name of the action this key is being generated for.
</ins><span class="cx" style="display: block; padding: 0 10px"> * @return array|WP_Error WP_Error on failure, action name and user email address on success.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function check_confirm_account_action_key( $action_name, $key, $uid ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function wp_check_account_verification_key( $key, $uid, $action_name ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> global $wp_hasher;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $action_name ) && ! empty( $key ) && ! empty( $uid ) ) {
- $user = false;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( empty( $action_name ) || empty( $key ) || empty( $uid ) ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( is_numeric( $uid ) ) {
- $user = get_user_by( 'id', absint( $uid ) );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $user = false;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // We could be dealing with a registered user account, or a visitor.
- $is_registered_user = $user && ! is_wp_error( $user );
- $key_request_time = '';
- $saved_key = '';
- $email = '';
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( is_numeric( $uid ) ) {
+ $user = get_user_by( 'id', absint( $uid ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( empty( $wp_hasher ) ) {
- require_once ABSPATH . WPINC . '/class-phpass.php';
- $wp_hasher = new PasswordHash( 8, true );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // We could be dealing with a registered user account, or a visitor.
+ $is_registered_user = ( $user && ! is_wp_error( $user ) );
+ $key_request_time = '';
+ $saved_key = '';
+ $email = '';
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Get the saved key from the database.
- if ( $is_registered_user ) {
- $confirm_action_data = get_user_meta( $user->ID, '_account_action_' . $action_name, true );
- $email = $user->user_email;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( empty( $wp_hasher ) ) {
+ require_once ABSPATH . WPINC . '/class-phpass.php';
+ $wp_hasher = new PasswordHash( 8, true );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( false !== strpos( $confirm_action_data, ':' ) ) {
- list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 );
- }
- } else {
- $confirm_action_data = get_site_option( '_account_action_' . $uid . '_' . $action_name, '' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // Get the saved key from the database.
+ if ( $is_registered_user ) {
+ $raw_data = get_user_meta( $user->ID, '_verify_action_' . $action_name, true );
+ $email = $user->user_email;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( false !== strpos( $confirm_action_data, ':' ) ) {
- list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( false !== strpos( $confirm_action_data, ':' ) ) {
+ list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ } else {
+ $raw_data = get_site_option( '_verify_action_' . $action_name . '_' . $uid, '' );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! $saved_key ) {
- return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( false !== strpos( $confirm_action_data, ':' ) ) {
+ list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- /**
- * Filters the expiration time of confirm keys.
- *
- * @param int $expiration The expiration time in seconds.
- */
- $expiration_duration = apply_filters( 'account_action_expiration', DAY_IN_SECONDS );
- $expiration_time = $key_request_time + $expiration_duration;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $data = json_decode( $raw_data, true );
+ $key_request_time = (int) isset( $data['time'] ) ? $data['time'] : 0;
+ $saved_key = isset( $data['hash'] ) ? $data['hash'] : '';
+ $email = sanitize_email( isset( $data['email'] ) ? $data['email'] : '' );
+ $request_data = isset( $data['request_data'] ) ? $data['request_data'] : array();
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( $wp_hasher->CheckPassword( $key, $saved_key ) ) {
- if ( $expiration_time && time() < $expiration_time ) {
- $return = array(
- 'action' => $action_name,
- 'email' => $email,
- );
- } else {
- $return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! $saved_key ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Clean up stored keys.
- if ( $is_registered_user ) {
- delete_user_meta( $user->ID, '_account_action_' . $action_name );
- } else {
- delete_site_option( '_account_action_' . $uid . '_' . $action_name );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! $key_request_time || ! $email ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid action' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return $return;
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /**
+ * Filters the expiration time of confirm keys.
+ *
+ * @since 5.0.0
+ *
+ * @param int $expiration The expiration time in seconds.
+ */
+ $expiration_duration = apply_filters( 'account_verification_expiration', DAY_IN_SECONDS );
+ $expiration_time = $key_request_time + $expiration_duration;
+
+ if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
-}
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( $expiration_time && time() < $expiration_time ) {
+ $return = array(
+ 'action' => $action_name,
+ 'email' => $email,
+ 'request_data' => $request_data,
+ );
+ } else {
+ $return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) );
+ }
+
+ // Clean up stored keys.
+ if ( $is_registered_user ) {
+ delete_user_meta( $user->ID, '_verify_action_' . $action_name );
+ } else {
+ delete_site_option( '_verify_action_' . $action_name . '_' . $uid );
+ }
+
+ return $return;
+}
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of file
</span></span></pre></div>
<a id="trunksrcwploginphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-login.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-login.php 2018-04-06 07:46:14 UTC (rev 42963)
+++ trunk/src/wp-login.php 2018-04-06 19:09:53 UTC (rev 42964)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -427,7 +427,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // validate action so as to default to the login screen
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-if ( ! in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'emailconfirm' ), true ) && false === has_filter( 'login_form_' . $action ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+if ( ! in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'verifyaccount' ), true ) && false === has_filter( 'login_form_' . $action ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $action = 'login';
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -858,12 +858,12 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> break;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- case 'emailconfirm' :
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ case 'verifyaccount' :
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( isset( $_GET['confirm_action'], $_GET['confirm_key'], $_GET['uid'] ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );
</del><span class="cx" style="display: block; padding: 0 10px"> $key = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
</span><span class="cx" style="display: block; padding: 0 10px"> $uid = sanitize_text_field( wp_unslash( $_GET['uid'] ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $result = check_confirm_account_action_key( $action_name, $key, $uid );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );
+ $result = wp_check_account_verification_key( $key, $uid, $action_name );
</ins><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><span class="cx" style="display: block; padding: 0 10px"> $result = new WP_Error( 'invalid_key', __( 'Invalid key' ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre>
</div>
</div>
</body>
</html>