[wp-trac] [WordPress Trac] #25853: Changeset 25696 breaks expected value of argument sent to filter 'retrieve_password_message'
WordPress Trac
noreply at wordpress.org
Wed Nov 6 23:24:51 UTC 2013
#25853: Changeset 25696 breaks expected value of argument sent to filter
'retrieve_password_message'
--------------------------+--------------------
Reporter: dcavins | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.7.2
Component: Users | Version: 3.7
Severity: minor | Resolution:
Keywords: |
--------------------------+--------------------
Changes (by SergeyBiryukov):
* version: 3.7.1 => 3.7
* component: General => Users
* milestone: Awaiting Review => 3.7.2
Old description:
> In changeset 25696 to wp-login.php, the function 'retrieve_password' was
> changed to hash the generated key about line 350:
>
> {{{$hashed = $wp_hasher->HashPassword( $key );}}}
>
> However, the filter 'retrieve_password_message' is still sending $key as
> an argument, line 385
>
> {{{$message = apply_filters( 'retrieve_password_message', $message, $key
> );}}}
>
> So any existing filters are no longer receiving the value stored in the
> database (which matters because filtering 'retrieve_password_message'
> almost has to include a search on that value to get the requestor's
> user_login, which is required for the password reset link to work).
>
> A simple fix is changing line 385 to
>
> {{{$message = apply_filters( 'retrieve_password_message', $message,
> $hashed );}}}
>
> Thanks for the great software!
New description:
In changeset [25696] to wp-login.php, the function 'retrieve_password' was
changed to hash the generated key about line 350:
{{{$hashed = $wp_hasher->HashPassword( $key );}}}
However, the filter 'retrieve_password_message' is still sending $key as
an argument, line 385
{{{$message = apply_filters( 'retrieve_password_message', $message, $key
);}}}
So any existing filters are no longer receiving the value stored in the
database (which matters because filtering 'retrieve_password_message'
almost has to include a search on that value to get the requestor's
user_login, which is required for the password reset link to work).
A simple fix is changing line 385 to
{{{$message = apply_filters( 'retrieve_password_message', $message,
$hashed );}}}
Thanks for the great software!
--
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25853#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list