[wp-trac] [WordPress Trac] #53699: Attempting to reset an email which contains an apostrophe causes an invalid key error
WordPress Trac
noreply at wordpress.org
Tue Jul 20 14:02:18 UTC 2021
#53699: Attempting to reset an email which contains an apostrophe causes an invalid
key error
--------------------------+-----------------------------
Reporter: brightminded | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.7.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
This appears to be because when get_password_reset_key is called for a
user with an apostrophe in their email, the new user_activation_key that
is generated is not properly saved to the database.
This seems to be caused by this if statement in wp_insert_user on line
2018 of wp-includes/user.php:
{{{#!php
if ( $user_email !== $old_user_data->user_email || $user_pass !==
$old_user_data->user_pass ) {
$data['user_activation_key'] = '';
}
}}}
At two points before this user email is sanitized so that apostrophes are
escaped causing the apostrophe to be preceded by a backslash,
whereas $old_user_data->user_email is not, thus the check fails and the
new user_activation_key saved by get_password_reset_key is blank, causing
the next call of check_password_reset key to return an invalid key error.
e.g. If trying to reset the password for an account who's email was
"123'abc at example.com", $user_email would contain "123\'abc at example.com",
and $old_user_data->user_email would contain "123'abc at example.com".
The email address gets escaped at the following two lines (also in wp-
includes/user.php) before that if statement in wp_insert_user:
2167: $user = add_magic_quotes( $user );
1855: $user_email = apply_filters( 'pre_user_email', $raw_user_email );
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53699>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list