[wp-trac] [WordPress Trac] #25853: Changeset 25696 breaks expected value of argument sent to filter 'retrieve_password_message'

WordPress Trac noreply at wordpress.org
Wed Nov 6 23:24:51 UTC 2013 

#25853: Changeset 25696 breaks expected value of argument sent to filter
'retrieve_password_message'
--------------------------+--------------------
 Reporter:  dcavins       |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  3.7.2
Component:  Users         |     Version:  3.7
 Severity:  minor         |  Resolution:
 Keywords:                |
--------------------------+--------------------
Changes (by SergeyBiryukov):

 * version:  3.7.1 => 3.7
 * component:  General => Users
 * milestone:  Awaiting Review => 3.7.2


Old description:

> In changeset 25696 to wp-login.php, the function 'retrieve_password' was
> changed to hash the generated key about line 350:
>
> {{{$hashed = $wp_hasher->HashPassword( $key );}}}
>
> However, the filter 'retrieve_password_message' is still sending $key as
> an argument, line 385
>
> {{{$message = apply_filters( 'retrieve_password_message', $message, $key
> );}}}
>
> So any existing filters are no longer receiving the value stored in the
> database (which matters because filtering 'retrieve_password_message'
> almost has to include a search on that value to get the requestor's
> user_login, which is required for the password reset link to work).
>
> A simple fix is changing line 385 to
>
> {{{$message = apply_filters( 'retrieve_password_message', $message,
> $hashed );}}}
>
> Thanks for the great software!

New description:

 In changeset [25696] to wp-login.php, the function 'retrieve_password' was
 changed to hash the generated key about line 350:

 {{{$hashed = $wp_hasher->HashPassword( $key );}}}

 However, the filter 'retrieve_password_message' is still sending $key as
 an argument, line 385

 {{{$message = apply_filters( 'retrieve_password_message', $message, $key
 );}}}

 So any existing filters are no longer receiving the value stored in the
 database (which matters because filtering 'retrieve_password_message'
 almost has to include a search on that value to get the requestor's
 user_login, which is required for the password reset link to work).

 A simple fix is changing line 385 to

 {{{$message = apply_filters( 'retrieve_password_message', $message,
 $hashed );}}}

 Thanks for the great software!

--

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25853#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list