[wp-trac] [WordPress Trac] #40356: Broken reset password link
WordPress Trac
noreply at wordpress.org
Tue Apr 4 16:45:56 UTC 2017
#40356: Broken reset password link
------------------------------------+-----------------------------
Reporter: ikalkov | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 4.7.3
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
After the registration or password reset, the user receives an email like
this:
> WordPress - [Project] Password Reset
> Someone has requested a password reset for the following account:
> https://abcd/
>
> Username: efgh
>
> If this was a mistake, just ignore this email and nothing will happen.
> To reset your password, visit the following address:
> <https://abcd/login?action=rp&key=w7NfjFe4bzB278EqJnty&login=efgh>
Which is OK so far. Unfortunately, some e-mail clients append the trailing
">" to the username on click, opening the following wrong URL:
https://abcd/login?action=rp&key=w7NfjFe4bzB278EqJnty&login=efgh%3E
This leads to the error message "Your password reset link appears to be
invalid. Please request a new link below." and the process starts all over
again. In the last 24 hours we have received more than messages from
confused customers who doesn't pay close attention to the URL.
The corresponding source code in wp-login.php explains the issue:
{{{
$message .= '<' . network_site_url("wp-
login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login')
. ">\r\n";
}}}
I'm not sure why exactly the address has to be put into angle brackets.
Can they be removed or can we at least put some separator (like "&") at
the end of the username?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40356>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list