<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[43070] branches/4.9/src/wp-login.php: Privacy: fixes and updates for the method to confirm user requests by email.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/43070">43070</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/43070","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>SergeyBiryukov</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2018-05-01 23:36:37 +0000 (Tue, 01 May 2018)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Privacy: fixes and updates for the method to confirm user requests by email.
- Improve function and variable names.
- Allow extra data to be passed with the request.
- Make the option/user meta names more consistent.
- Adds an inline comment explaining use of hash.
Props mikejolley.
Merges <a href="https://core.trac.wordpress.org/changeset/42964">[42964]</a> to the 4.9 branch.
See <a href="https://core.trac.wordpress.org/ticket/43443">#43443</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branches49srcwpincludesuserphp">branches/4.9/src/wp-includes/user.php</a></li>
<li><a href="#branches49srcwploginphp">branches/4.9/src/wp-login.php</a></li>
</ul>
<h3>Property Changed</h3>
<ul>
<li><a href="#branches49">branches/4.9/</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<span class="cx" style="display: block; padding: 0 10px">Index: branches/4.9
</span><span class="cx" style="display: block; padding: 0 10px">===================================================================
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">--- branches/4.9 2018-05-01 23:33:17 UTC (rev 43069)
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+++ branches/4.9 2018-05-01 23:36:37 UTC (rev 43070)
</ins><a id="branches49"></a>
<div class="propset"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Property changes: branches/4.9</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: svn:mergeinfo</h4></div>
<span class="cx" style="display: block; padding: 0 10px"> /branches/3.1:18031
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/3.3:20543
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/3.4:21757
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-/trunk:18512,42132,42134,42136,42138,42140,42144,42146,42148,42150,42152-42153,42155,42157,42159,42161,42163,42169,42171,42173,42175,42177,42181,42183,42185,42187,42189,42191,42193,42199,42203,42210,42214,42220,42222,42226,42242,42244,42247,42251,42256-42261,42350,42358,42362,42364-42368,42374,42388,42390,42401,42417,42421,42423-42425,42430,42433,42437,42441,42443,42446-42447,42449,42451,42453,42457,42459,42462,42491,42521,42529,42531,42533,42536,42538,42541,42543,42545,42549,42566,42568,42570,42572,42574,42576,42579,42581-42582,42584-42585,42587-42588,42590,42592,42594-42595,42598-42599,42602,42604,42606,42611-42613,42615,42617,42624-42625,42639,42648,42652-42653,42665,42687,42711,42713,42719,42722,42739-42740,42744,42758,42791-42792,42801,42817-42818,42830,42837,42839,42841,42844,42851-42852,42860,42864,42881,42892-42894,42930,42998,43001,43004,43007,43025,43027,43030,43032,43034,43036
,43039,43056,43062-43063,43065
</del><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/trunk:18512,42132,42134,42136,42138,42140,42144,42146,42148,42150,42152-42153,42155,42157,42159,42161,42163,42169,42171,42173,42175,42177,42181,42183,42185,42187,42189,42191,42193,42199,42203,42210,42214,42220,42222,42226,42242,42244,42247,42251,42256-42261,42350,42358,42362,42364-42368,42374,42388,42390,42401,42417,42421,42423-42425,42430,42433,42437,42441,42443,42446-42447,42449,42451,42453,42457,42459,42462,42491,42521,42529,42531,42533,42536,42538,42541,42543,42545,42549,42566,42568,42570,42572,42574,42576,42579,42581-42582,42584-42585,42587-42588,42590,42592,42594-42595,42598-42599,42602,42604,42606,42611-42613,42615,42617,42624-42625,42639,42648,42652-42653,42665,42687,42711,42713,42719,42722,42739-42740,42744,42758,42791-42792,42801,42817-42818,42830,42837,42839,42841,42844,42851-42852,42860,42864,42881,42892-42894,42930,42964,42998,43001,43004,43007,43025,43027,43030,43032,43034
,43036,43039,43056,43062-43063,43065
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="branches49srcwpincludesuserphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.9/src/wp-includes/user.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.9/src/wp-includes/user.php 2018-05-01 23:33:17 UTC (rev 43069)
+++ branches/4.9/src/wp-includes/user.php 2018-05-01 23:36:37 UTC (rev 43070)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2737,20 +2737,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.0.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $action_name Name of the action that is being confirmed.
- * @param string $action_description User facing description of the action they will be confirming.
- * @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address.
- *
- * @return WP_ERROR|bool Will return true/false based on the success of sending the email, or a WP_Error object.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address.
+ * @param string $action_name Name of the action that is being confirmed. Defaults to 'confirm_email'.
+ * @param string $action_description User facing description of the action they will be confirming. Defaults to "confirm your email address".
+ * @param array $request_data Misc data you want to send with the verification request and pass to the actions once the request is confirmed.
+ * @return WP_Error|bool Will return true/false based on the success of sending the email, or a WP_Error object.
</ins><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function send_confirm_account_action_email( $action_name, $action_description = '', $email = '' ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function wp_send_account_verification_key( $email = '', $action_name = '', $action_description = '', $request_data = array() ) {
+ if ( ! function_exists( 'wp_get_current_user' ) ) {
+ return new WP_Error( 'invalid', __( 'This function cannot be used before init.' ) );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $action_name = sanitize_key( $action_name );
</span><span class="cx" style="display: block; padding: 0 10px"> $action_description = wp_kses_post( $action_description );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( empty( $action_name ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return new WP_Error( 'invalid_action', __( 'Invalid action' ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $action_name = 'confirm_email';
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( empty( $action_description ) ) {
+ $action_description = __( 'Confirm your email address.' );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( empty( $email ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $user = wp_get_current_user();
</span><span class="cx" style="display: block; padding: 0 10px"> $email = $user->ID ? $user->user_email : '';
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2768,18 +2776,20 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $user = get_user_by( 'email', $email );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // We could be dealing with a registered user account, or a visitor.
- $is_registered_user = $user && ! is_wp_error( $user );
- $uid = $is_registered_user ? $user->ID : hash( 'sha256', $email );
- $confirm_key = get_confirm_account_action_key( $action_name, $email );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $confirm_key = wp_get_account_verification_key( $email, $action_name, $request_data );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( is_wp_error( $confirm_key ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return $confirm_key;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Prepare the email content.
- if ( ! $action_description ) {
- $action_description = $action_name;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // We could be dealing with a registered user account, or a visitor.
+ $is_registered_user = $user && ! is_wp_error( $user );
+
+ if ( $is_registered_user ) {
+ $uid = $user->ID;
+ } else {
+ // Generate a UID for this email address so we don't send the actual email in the query string. Hash is not supported on all systems.
+ $uid = function_exists( 'hash' ) ? hash( 'sha256', $email ) : sha1( $email );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: Do not translate DESCRIPTION, CONFIRM_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2786,12 +2796,11 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $email_text = __(
</span><span class="cx" style="display: block; padding: 0 10px"> 'Howdy,
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-An account linked to your email address has requested to perform
-the following action:
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+A request has been made to perform the following action on your account:
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> ###DESCRIPTION###
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-To confirm this action, please click on the following link:
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+To confirm this, please click on the following link:
</ins><span class="cx" style="display: block; padding: 0 10px"> ###CONFIRM_URL###
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> You can safely ignore and delete this email if you do not want to
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2809,7 +2818,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 'email' => $email,
</span><span class="cx" style="display: block; padding: 0 10px"> 'description' => $action_description,
</span><span class="cx" style="display: block; padding: 0 10px"> 'confirm_url' => add_query_arg( array(
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- 'action' => 'emailconfirm',
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ 'action' => 'verifyaccount',
</ins><span class="cx" style="display: block; padding: 0 10px"> 'confirm_action' => $action_name,
</span><span class="cx" style="display: block; padding: 0 10px"> 'uid' => $uid,
</span><span class="cx" style="display: block; padding: 0 10px"> 'confirm_key' => $confirm_key,
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2829,6 +2838,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * ###SITENAME### The name of the site.
</span><span class="cx" style="display: block; padding: 0 10px"> * ###SITEURL### The URL to the site.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @since 5.0.0
+ *
</ins><span class="cx" style="display: block; padding: 0 10px"> * @param string $email_text Text in the email.
</span><span class="cx" style="display: block; padding: 0 10px"> * @param array $email_data {
</span><span class="cx" style="display: block; padding: 0 10px"> * Data relating to the account action email.
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2841,7 +2852,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @type string $siteurl The site URL sending the mail.
</span><span class="cx" style="display: block; padding: 0 10px"> * }
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $content = apply_filters( 'confirm_account_action_email_content', $email_text, $email_data );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $content = apply_filters( 'account_verification_email_content', $email_text, $email_data );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
</span><span class="cx" style="display: block; padding: 0 10px"> $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2850,7 +2861,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: %s Site name. */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Account Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2858,12 +2869,12 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.0.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $action_name Name of the action this key is being generated for.
- * @param string $email User email address. This can be the address of a registered or non-registered user.
- *
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $email User email address. This can be the address of a registered or non-registered user.
+ * @param string $action_name Name of the action this key is being generated for.
+ * @param array $request_data Misc data you want to send with the verification request and pass to the actions once the request is confirmed.
</ins><span class="cx" style="display: block; padding: 0 10px"> * @return string|WP_Error Confirmation key on success. WP_Error on error.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function get_confirm_account_action_key( $action_name, $email ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function wp_get_account_verification_key( $email, $action_name, $request_data = array() ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> global $wp_hasher;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! is_email( $email ) ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2889,15 +2900,23 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $hashed_key = $wp_hasher->HashPassword( $key );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $value = array(
+ 'action' => $action_name,
+ 'time' => time(),
+ 'hash' => $hashed_key,
+ 'email' => $email,
+ 'request_data' => $request_data,
+ );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $is_registered_user ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $key_saved = (bool) update_user_meta( $user->ID, '_account_action_' . $action_name, implode( ':', array( time(), $hashed_key ) ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $key_saved = (bool) update_user_meta( $user->ID, '_verify_action_' . $action_name, wp_json_encode( $value ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $key_saved = (bool) update_site_option( '_account_action_' . hash( 'sha256', $email ) . '_' . $action_name, implode( ':', array( time(), $hashed_key, $email ) ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $uid = function_exists( 'hash' ) ? hash( 'sha256', $email ) : sha1( $email );
+ $key_saved = (bool) update_site_option( '_verify_action_' . $action_name . '_' . $uid, wp_json_encode( $value ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( false === $key_saved ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return new WP_Error( 'no_confirm_account_action_key_update', __( 'Could not save confirm account action key to database.' ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ return new WP_Error( 'no_account_verification_key_update', __( 'Could not save confirm account action key to database.' ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> return $key;
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2908,81 +2927,95 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.0.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $action_name Name of the action this key is being generated for.
</del><span class="cx" style="display: block; padding: 0 10px"> * @param string $key Key to confirm.
</span><span class="cx" style="display: block; padding: 0 10px"> * @param string $uid Email hash or user ID.
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- *
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $action_name Name of the action this key is being generated for.
</ins><span class="cx" style="display: block; padding: 0 10px"> * @return array|WP_Error WP_Error on failure, action name and user email address on success.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function check_confirm_account_action_key( $action_name, $key, $uid ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function wp_check_account_verification_key( $key, $uid, $action_name ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> global $wp_hasher;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $action_name ) && ! empty( $key ) && ! empty( $uid ) ) {
- $user = false;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( empty( $action_name ) || empty( $key ) || empty( $uid ) ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( is_numeric( $uid ) ) {
- $user = get_user_by( 'id', absint( $uid ) );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $user = false;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // We could be dealing with a registered user account, or a visitor.
- $is_registered_user = $user && ! is_wp_error( $user );
- $key_request_time = '';
- $saved_key = '';
- $email = '';
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( is_numeric( $uid ) ) {
+ $user = get_user_by( 'id', absint( $uid ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( empty( $wp_hasher ) ) {
- require_once ABSPATH . WPINC . '/class-phpass.php';
- $wp_hasher = new PasswordHash( 8, true );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // We could be dealing with a registered user account, or a visitor.
+ $is_registered_user = ( $user && ! is_wp_error( $user ) );
+ $key_request_time = '';
+ $saved_key = '';
+ $email = '';
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Get the saved key from the database.
- if ( $is_registered_user ) {
- $confirm_action_data = get_user_meta( $user->ID, '_account_action_' . $action_name, true );
- $email = $user->user_email;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( empty( $wp_hasher ) ) {
+ require_once ABSPATH . WPINC . '/class-phpass.php';
+ $wp_hasher = new PasswordHash( 8, true );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( false !== strpos( $confirm_action_data, ':' ) ) {
- list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 );
- }
- } else {
- $confirm_action_data = get_site_option( '_account_action_' . $uid . '_' . $action_name, '' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // Get the saved key from the database.
+ if ( $is_registered_user ) {
+ $raw_data = get_user_meta( $user->ID, '_verify_action_' . $action_name, true );
+ $email = $user->user_email;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( false !== strpos( $confirm_action_data, ':' ) ) {
- list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( false !== strpos( $confirm_action_data, ':' ) ) {
+ list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ } else {
+ $raw_data = get_site_option( '_verify_action_' . $action_name . '_' . $uid, '' );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! $saved_key ) {
- return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( false !== strpos( $confirm_action_data, ':' ) ) {
+ list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- /**
- * Filters the expiration time of confirm keys.
- *
- * @param int $expiration The expiration time in seconds.
- */
- $expiration_duration = apply_filters( 'account_action_expiration', DAY_IN_SECONDS );
- $expiration_time = $key_request_time + $expiration_duration;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $data = json_decode( $raw_data, true );
+ $key_request_time = (int) isset( $data['time'] ) ? $data['time'] : 0;
+ $saved_key = isset( $data['hash'] ) ? $data['hash'] : '';
+ $email = sanitize_email( isset( $data['email'] ) ? $data['email'] : '' );
+ $request_data = isset( $data['request_data'] ) ? $data['request_data'] : array();
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( $wp_hasher->CheckPassword( $key, $saved_key ) ) {
- if ( $expiration_time && time() < $expiration_time ) {
- $return = array(
- 'action' => $action_name,
- 'email' => $email,
- );
- } else {
- $return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! $saved_key ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Clean up stored keys.
- if ( $is_registered_user ) {
- delete_user_meta( $user->ID, '_account_action_' . $action_name );
- } else {
- delete_site_option( '_account_action_' . $uid . '_' . $action_name );
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! $key_request_time || ! $email ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid action' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return $return;
- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /**
+ * Filters the expiration time of confirm keys.
+ *
+ * @since 5.0.0
+ *
+ * @param int $expiration The expiration time in seconds.
+ */
+ $expiration_duration = apply_filters( 'account_verification_expiration', DAY_IN_SECONDS );
+ $expiration_time = $key_request_time + $expiration_duration;
+
+ if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
-}
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( $expiration_time && time() < $expiration_time ) {
+ $return = array(
+ 'action' => $action_name,
+ 'email' => $email,
+ 'request_data' => $request_data,
+ );
+ } else {
+ $return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) );
+ }
+
+ // Clean up stored keys.
+ if ( $is_registered_user ) {
+ delete_user_meta( $user->ID, '_verify_action_' . $action_name );
+ } else {
+ delete_site_option( '_verify_action_' . $action_name . '_' . $uid );
+ }
+
+ return $return;
+}
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of file
</span></span></pre></div>
<a id="branches49srcwploginphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.9/src/wp-login.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.9/src/wp-login.php 2018-05-01 23:33:17 UTC (rev 43069)
+++ branches/4.9/src/wp-login.php 2018-05-01 23:36:37 UTC (rev 43070)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -413,7 +413,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $action = 'resetpass';
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // validate action so as to default to the login screen
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'emailconfirm' ), true ) && false === has_filter( 'login_form_' . $action ) )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'verifyaccount' ), true ) && false === has_filter( 'login_form_' . $action ) )
</ins><span class="cx" style="display: block; padding: 0 10px"> $action = 'login';
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> nocache_headers();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -838,12 +838,12 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> break;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-case 'emailconfirm' :
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+case 'verifyaccount' :
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( isset( $_GET['confirm_action'], $_GET['confirm_key'], $_GET['uid'] ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );
</del><span class="cx" style="display: block; padding: 0 10px"> $key = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
</span><span class="cx" style="display: block; padding: 0 10px"> $uid = sanitize_text_field( wp_unslash( $_GET['uid'] ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $result = check_confirm_account_action_key( $action_name, $key, $uid );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );
+ $result = wp_check_account_verification_key( $key, $uid, $action_name );
</ins><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><span class="cx" style="display: block; padding: 0 10px"> $result = new WP_Error( 'invalid_key', __( 'Invalid key' ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre>
</div>
</div>
</body>
</html>