From 00ea16d24f596ba94f4d91a085e85cc477d34c02 Mon Sep 17 00:00:00 2001 From: Champ Camba Date: Thu, 17 Jan 2019 12:18:19 +0800 Subject: [PATCH] Fix password reset cookie --- includes/core/class-password.php | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/includes/core/class-password.php b/includes/core/class-password.php index 507536ec..f7fb8ef0 100644 --- a/includes/core/class-password.php +++ b/includes/core/class-password.php @@ -286,9 +286,19 @@ if ( ! class_exists( 'um\core\Password' ) ) { exit; } $rp_login = $userdata->user_login; - $value = sprintf( '%s:%s', $rp_login, wp_unslash( $_GET['hash'] ) ); - setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); - wp_safe_redirect( remove_query_arg( array( 'hash', 'user_id' ) ) ); + $rp_key = wp_unslash( $_GET['hash'] ); + + $user = check_password_reset_key( $rp_key, $rp_login ); + + if ( is_wp_error( $user ) ) { + setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); + wp_redirect( add_query_arg( array( 'updated' => 'invalidkey' ), get_permalink() ) ); + }else{ + $value = sprintf( '%s:%s', $rp_login, wp_unslash( $_GET['hash'] ) ); + setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); + wp_safe_redirect( remove_query_arg( array( 'hash', 'user_id' ) ) ); + } + exit; } @@ -299,7 +309,7 @@ if ( ! class_exists( 'um\core\Password' ) ) { $user = false; } - if ( ! $user || is_wp_error( $user ) ) { + if ( ( ! $user || is_wp_error( $user ) ) && ! isset( $_GET['updated'] ) ) { setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); if ( $user && $user->get_error_code() === 'expired_key' ) { wp_redirect( add_query_arg( array( 'updated' => 'expiredkey' ), get_permalink() ) );