Making WordPress.org

Changeset 10028


Ignore:
Timestamp:
07/07/2020 06:54:11 AM (5 years ago)
Author:
dd32
Message:

Login: Don't change the activation key upon every resend.

Changing the activation key without changing the email address can cause expired links to be used when delayed.

See #5278.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php

    r10008 r10028  
    5757        wp_die( __( 'Registration Blocked. Please stop.', 'wporg' ) );
    5858    }
    59 
    6059
    6160    $profile_key        = wp_generate_password( 24, false, false );
     
    113112    $user = wporg_get_pending_user( $user_email );
    114113
    115     if ( ! $user ) {
     114    if ( ! $user || $user['created'] ) {
    116115        return false;
    117116    }
     
    119118    $user_login = $user['user_login'];
    120119
    121     // Every email gets a new key (and expiration time..)
    122     $activation_key        = wp_generate_password( 24, false, false );
    123     $hashed_activation_key = time() . ':' . wp_hash_password( $activation_key );
    124 
    125     $user['user_activation_key'] = $hashed_activation_key;
     120    $activation_key = wp_hash( $user_login . ':' . $user_email, 'activation' );
     121
     122    // Every email bumps the expiration time.
     123    $user['user_activation_key'] = time() . ':' . wp_hash_password( $activation_key );
    126124    if ( ! wporg_update_pending_user( $user ) ) {
    127125        return false;
Note: See TracChangeset for help on using the changeset viewer.