Changeset 10288

Timestamp:

09/26/2020 01:46:31 AM (5 years ago)

Author:

dd32

Message:

Login: Don't allow usernames with trailing spaces or other whitespace around it.

A handful of new registrations included a space trailing their username which caused the confirmation emails to include invalid activation links.

See ​https://wordpress.slack.com/archives/C08M59V3P/p1601053672001300

Location:

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login

Files:

• functions-registration.php (modified) (4 diffs)
• register.php (modified) (1 diff)

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php

@@ -49 +49 @@
 function wporg_login_create_pending_user( $user_login, $user_email, $user_mailinglist = false  ) {
     global $wpdb, $wp_hasher;
+
+    // Remove any whitespace which might have accidentally been added.
+    $user_login = trim( $user_login );
+    $user_email = trim( $user_email );
 
     // Allow for w.org plugins to block registrations based on spam checks, etc.
@@ -132 +136 @@
     $body .= sprintf( __( 'Your username is: %s', 'wporg' ), $user_login ) . "\n";
     $body .= __( 'You can create a password at the following URL:', 'wporg' ) . "\n";
-    $body .= home_url( "/register/create/{$user_login}/{$activation_key}/" );
+    $body .= home_url( '/register/create/' . urlencode( $user_login ) . '/' . urlencode( $activation_key ) . '/' );
     $body .= "\n\n";
     $body .= __( '-- The WordPress.org Team', 'wporg' );
@@ -204 +208 @@
 
     // Insert user, no password tho.
-    $user_login = $pending_user['user_login'];
-    $user_email = $pending_user['user_email'];
+    $user_login = trim( $pending_user['user_login'] );
+    $user_email = trim( $pending_user['user_email'] );
     $user_mailinglist = !empty( $pending_user['meta']['user_mailinglist'] ) && $pending_user['meta']['user_mailinglist'];
 
@@ -279 +283 @@
     foreach ( $fields as $field ) {
         if ( isset( $_POST['user_fields'][ $field ] ) ) {
-            $value = sanitize_text_field( wp_unslash( $_POST['user_fields'][ $field ] ) );
+            $value = trim( sanitize_text_field( wp_unslash( $_POST['user_fields'][ $field ] ) ) );
             if ( 'url' == $field ) {
                 if ( $pending_user ) {

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/register.php

@@ -6 +6 @@
  */
 
-$user_login = isset( $_POST['user_login'] ) ? wp_unslash( $_POST['user_login'] ) : '';
+$user_login = isset( $_POST['user_login'] ) ? trim( wp_unslash( $_POST['user_login'] ) ) : '';
 if ( ! $user_login && !empty( WP_WPOrg_SSO::$matched_route_params['user'] ) ) {
-    $user_login = WP_WPOrg_SSO::$matched_route_params['user'];
+    $user_login = trim( WP_WPOrg_SSO::$matched_route_params['user'] );
 }
-$user_email = isset( $_POST['user_email'] ) ? wp_unslash( $_POST['user_email'] ) : '';
+$user_email = isset( $_POST['user_email'] ) ? trim( wp_unslash( $_POST['user_email'] ) ) : '';
 $user_mailinglist = isset( $_POST['user_mailinglist'] ) && 'true' == $_POST['user_mailinglist'];