[wp-trac] [WordPress Trac] #50072: Users with email addresses containing a single quote cannot reset their passwords
WordPress Trac
noreply at wordpress.org
Mon May 4 09:28:31 UTC 2020
#50072: Users with email addresses containing a single quote cannot reset their
passwords
-----------------------------+-----------------------------
Reporter: daniele.perilli | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 5.4
Severity: major | Keywords:
Focuses: |
-----------------------------+-----------------------------
I just found that users with a single quote in their email addresses
cannot reset their passwords.
This happens because there is a difference in the email addresses compared
by the wp_insert_user() function.
Take a look at this example.
I have a user with an email address equal to **daniel.o'brian at gmail.com**
When he tries to reset his password, he receives the reset key, but his
activation key is not stored in the database.
Looking at lines 1805-1808 of the file users.php I found the problem:
{{{
if ( $update ) {
if ( $user_email !== $old_user_data->user_email ||
$user_pass !== $old_user_data->user_pass ) {
$data['user_activation_key'] = '';
}
}}}
In the above code the variable $user_email is
**daniel.o'brian at gmail.com**, but the $old_user_data->user_email is
escaped and appears to be **daniel.o\'brian at gmail.com**, so there isn't
the match and user activation key is cleared.
Can you confirm and provide a fix?
In the meantime, I can change this behavior by escaping the $user_email
myself in the filter wp_pre_insert_user_data which is a few lines above
the checking, I guess.
Thanks!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50072>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list