[wp-trac] [WordPress Trac] #52529: Non-slashed $old_user_data->user_email in wp_insert_user causes user_activation_key to be unset
WordPress Trac
noreply at wordpress.org
Mon Feb 15 12:11:54 UTC 2021
#52529: Non-slashed $old_user_data->user_email in wp_insert_user causes
user_activation_key to be unset
------------------------------------+-----------------------------
Reporter: emirpprime | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: trunk
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
WordPress now allows apostrophes in email addresses, but the forgot
password process for these users fails.
`$data['user_activation_key']` in `wp_insert_user()` get's cleared when
the `$user_email !== $old_user_data->user_email` comparison fails.
This is because `$old_user_data` is the "clean" data from the database,
however `wp_update_user()` calls `add_magic_quotes()` on the user data it
passes, causing apostrophes in email addresses to be slashed.
Process fails silently as there is no error when
`$data['user_activation_key']` is cleared in this flow, even though it is
required for the forgot password system to function.
To replicate - register a user with an apostrophe in their email, use the
lost password system from wp-login.php. An email will be sent/received,
but the reset link is deemed invalid as there is no `user_activation_key`
in the db.
Patch (about to be) attached to slash email only in $old_user_data. While
this fixes the bug, it does raise the question of whether
`get_password_reset_key()` should validate that the key is created
directly as `wp_update_user()` errors don't give the granularity to tell
us.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52529>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list