From 8269c3fcd680f5efb4420bb0dcd6841de6a08197 Mon Sep 17 00:00:00 2001 From: dmsnell Date: Thu, 4 Jul 2024 22:01:22 +0000 Subject: [PATCH] Users: Avoid ambiguous password reset URLs for usernames ending in a period. When WordPress sends out a password-reset or new-user email, it generates a link for someone to follow in order to take them to the reset page. If the user login name ends in a period, however, that generated URL will end in a period and many email clients will confuse it with a sentence-ending period instead of being part of the query arguments. In this patch, the generated URL's query argument are rearranged so that the link will never end in a period. Alternative ideas were explored to create a new function to escape URL-ending periods, but this patch resolves the reported problem without raising any further architectural questions. Developed in https://github.com/WordPress/wordpress-develop/pull/6834 Discussed in https://core.trac.wordpress.org/ticket/42957 Props audrasjb, costdev, daveagp, dmsnell, hellofromTonya, markparnell, mukesh27, nhrrob, obrienlabs, paulcline. Fixes #42957. Built from https://develop.svn.wordpress.org/trunk@58674 git-svn-id: http://core.svn.wordpress.org/trunk@58076 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/pluggable.php | 10 +++++++++- wp-includes/user.php | 10 +++++++++- wp-includes/version.php | 2 +- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 04a4ef8b55..0e9e0d4579 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -2224,7 +2224,15 @@ if ( ! function_exists( 'wp_new_user_notification' ) ) : /* translators: %s: User login. */ $message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n"; $message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n"; - $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n"; + + /* + * Since some user login names end in a period, this could produce ambiguous URLs that + * end in a period. To avoid the ambiguity, ensure that the login is not the last query + * arg in the URL. If moving it to the end, a trailing period will need to be escaped. + * + * @see https://core.trac.wordpress.org/tickets/42957 + */ + $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n"; $message .= wp_login_url() . "\r\n"; diff --git a/wp-includes/user.php b/wp-includes/user.php index 38ff198286..5a05fff2f4 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -3219,7 +3219,15 @@ function retrieve_password( $user_login = null ) { $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n"; $message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n"; $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n"; - $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n"; + + /* + * Since some user login names end in a period, this could produce ambiguous URLs that + * end in a period. To avoid the ambiguity, ensure that the login is not the last query + * arg in the URL. If moving it to the end, a trailing period will need to be escaped. + * + * @see https://core.trac.wordpress.org/tickets/42957 + */ + $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n"; if ( ! is_user_logged_in() ) { $requester_ip = $_SERVER['REMOTE_ADDR']; diff --git a/wp-includes/version.php b/wp-includes/version.php index 1db4f12258..3acd190779 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.7-alpha-58673'; +$wp_version = '6.7-alpha-58674'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.