Problem when Resetting the Password (Invalid Key) with users that contain spaces

Resolved synkinetic
(@synkinetic)

3 years, 6 months ago
The problem occurs when a user, who are stored in the wp_users table, and that the user_login field contains some space, for example “test hello”

The user correctly requests the password recovery, and receives an email (in html format like the following)

https://www.dominio.es/resetpass/?key=removedbymoderatorforprivacys&login=test%20hello

With a symbol of < at the beginning and another of > at the end (won’t let me paste it here; D)

In the login field, you can see that the character “%20” is inserted between the words test and hello

When clicking the link, an ‘invalidkey’ error occurs

https://www.dominio.es/lostpassword/?error=invalidkey

I’ve also tried to copy the address (without the < and > symbols), and paste it into the browser’s address bar and the result is the same (invalidkey).
This is the url

https://www.dominio.es/resetpass/?key=removedbymoderator&login=test%20hello

I have investigated a little, and in the process of password recovery, a variable is saved where the user’s name is inside a Cookie

When retrieving the cookie information, within the tml_password_reset_handler function (from the actions.php file line 581 @since 7.0 ), the cookie content is read and in the line

list( $rp_login, $rp_key ) = explode( ‘:’, wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );

when retrieving the user information from the cookie, in the $rp_login variable it retrieves the value “test+hello” (with a ‘+’ symbol between both words)

In the following line, when trying to retrieve the user “test+hello” from the database (with the function check_password_reset_key), it returns an error, because the user does not exist (in the database it is saved as “test hello”

$user = check_password_reset_key( $rp_key, $rp_login );

If I replace, with a str_replace, the “+” by ” “, then it works correctly (before calling the function check_password_reset_key)

$rp_login=str_replace(‘+’,’ ‘,$rp_login);

Let’s see if you can help me solve this case

Thank you very much.
- This topic was modified 3 years, 6 months ago by synkinetic.
- This topic was modified 3 years, 6 months ago by synkinetic.
- This topic was modified 3 years, 6 months ago by synkinetic.
- This topic was modified 3 years, 6 months ago by synkinetic.
- This topic was modified 3 years, 6 months ago by Yui.

Viewing 5 replies - 1 through 5 (of 5 total)

Thread Starter synkinetic
(@synkinetic)

3 years, 6 months ago

can someone help me with this problem?

Thank you

Plugin Author Jeff Farthing
(@jfarthing84)

3 years, 6 months ago

Interesting as this code was basically taken directly from wp-login.php. Does this work properly if you disable TML and attempt to use wp-login.php?

Thread Starter synkinetic
(@synkinetic)

3 years, 6 months ago

Well, I have disabled the plugin and I have tried accessing http://www.dominio.es/wp-login.php and the operation is the same (incorrect), invalidkey error.

Any suggestion?
Thread Starter synkinetic
(@synkinetic)

3 years, 6 months ago
The only difference in the email obtained is the path, but the value that goes in the login field is the same (with the “%” between the 2 words of the user) and the < and > at the beginning and the end of the url

<https://www.dominio.es/resetpass/?key=oKA5k0rMY4deVAMGHo2T&login=test%20hello>

<https://www.dominio.es/wp-login.php?action=rp&key=vTTxnvUQLa7MSclaHLgx&login=test%20hello>
- This reply was modified 3 years, 6 months ago by synkinetic.
Thread Starter synkinetic
(@synkinetic)

3 years, 6 months ago

Well it seems that it is a wp problem, with php 7.4.2.
Downloading the version to 7.3.14, it already works correctly.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Problem when Resetting the Password (Invalid Key) with users that contain spaces’ is closed to new replies.

Tags