Problem with “reset password” feature

  • pirusan

    (@pirusan)


    17 years, 11 months ago

    Hi all,

    I have some problems with the reset password feature: when I ask a new password via the “Lost password” link in “wp-login.php”, I recieve a confirmation link with a key to validate the reset of my password.

    The problem is that it appear the key is often invalid (“invalid key” error). After searching in the code I noticed some strange things.

    In “wp-login.php”, we have the code $key = wp_generate_password(); to generate a key. When I look in the wp_generate_password function, I see $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()"; which enumerate all characters allowed in the key or password.

    Back in “wp-login.php” (when we click on the confirmation link), we have in the reset_password() function: $key = preg_replace('/[^a-z0-9]/i', '', $key);.

    So once we can have a lot of characters allowed to generate the key/password but at the end, only alphanum chars are taken in account.

    Is it a bug, does I have missied something ? In my case and for the moment, I’ll comment the preg_replace in the reset_password function.

    David

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter pirusan

    (@pirusan)

    17 years, 11 months ago

    Hi all, me again.

    The character “^” in the characters list is not taken in account in the URL detection in Gmail, the URL is clickable before the “^”, so the link is broken. Of course it’s OK if we copy/paste the link but not everybody has this reflex. One good thing would be the possibility to give our own chars list somewhere in the admin or in the wp-settings.php for example.

    Read you soon,
    David

    joeltaylor

    (@joeltaylor)

    17 years, 10 months ago

    You’re correct … the reset password function is creating key’s with more than alpha-numeric characters – but they’re the only allowed characters that wp-login.php function accepts. So it fails sometimes! I’ve edited it on my end – but this needs to be fixed for future releases.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    17 years, 10 months ago

    This is already fixed in 2.5.1. See here:
    http://trac.wordpress.org/ticket/6842

    However, any bad reset keys generated prior to 2.5.1 will remain, so the 2.5.2 upgrade will clear out all the keys from the database to avoid the issue.

    Thread Starter pirusan

    (@pirusan)

    17 years, 10 months ago

    Hi,

    I Installed a new, fresh WP last week and the problem seems to be still there (both the preg_replace() wich keep only alpahnum characters and the “^” character)…

    Let’s see what’ll happen in WP 2.5.2

    Cheers,
    David

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Problem with “reset password” feature’ is closed to new replies.