WordPress pw reset link mangling

Like a most people I moved over to using a web mail client around a decade ago. Unfortunately WordPress password reset e-mails don’t work with mine, or apparently those of many others.

Although I still have Thunderbird on my personal workstation at home and my company supplies me with a copy of Outlook on my work laptop, I still make heavy use of my premium provider’s web mail client.

I recently deployed a simple WordPress site for a nonprofit that I volunteer with. After creating some test accounts for key members the complaints about password reset links not working started pouring in. Oh joy.

My response was what you’d expect from most good sysadmins. I went up to Google in search of… reasons.

After sifting through some posts on how recent changes in the password link generation code had broken some popular plugins, I finally narrowed things down to two different threads on WordPress.org support:

[resolved] Registration – reset password?

[resolved] Hack for wp-login malformed password reset url

The first thing to note about both of these threads is that they’re marked “resolved”, but that in each case the resolution was a user hack on core, not a bug fix from upstream.

The other noticeable feature is that the first was posted only four months ago. The second, four years ago.

In each case the cause of the problem was identified as the “lost password” function placing angle brackets around the password reset url and its one-time token. Many web mail clients (as well as at least one open source desktop client I happened to try), parse this incorrectly, making the final bracket part of the url.

The use of angle brackets around the password reset url was introduced 6 years ago to deal with the word-wrapping of these urls by mail clients. It doesn’t appear in the original ticket that anyone questioned the use of the angle bracket symbol for this purpose.

Why anyone would think that using an angle bracket to enclose any kind of url wouldn’t lead to trouble is beyond me. Square brackets (“[]”), or even God help us, braces (“{}”) would have been better. Basically anything that didn’t use symbols actually used in HTML (or XML, for that matter) markup would have been a better choice. Yes, I know that surrounding e-mail addresses with angle brackets became a convention back before web mail was a glimmer in its momma’s eye (I remember it showing up on 3270 terminal displays in the 1990’s), but use of angle brackets to enclose an HTTP or HTTPS url has never been any kind of standard. Besides, WordPress just went through a major refactoring with version 4 that completely rewrote its front end, and most importantly, with version 4.3 the lost password rest function got a major overhaul (that itself caused collateral damage to innocent bystanders), so there have been plenty of opportunities to stop this particular insanity.

Four years. People have been complaining about this problem for four f*ing years.

The only explanation has to be that someone pretty high up in the hierarchy has a thing for those angle brackets.

Get over it. Really. Please for once elevate function over form and fix the damned problem.

</rant>

NOTE: My (temporary) hack to fix this is the following code in wp-login.php:

// $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
// Remove angle brackets ("<>") from around lost password url - PL
$message .= network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "\r\n";
This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).