Non-slashed $old_user_data->user_email in wp_insert_user causes user_activation_key to be unset

[emirpprime]

WordPress now allows apostrophes in email addresses, but the forgot password process for these users fails.

$data['user_activation_key'] in wp_insert_user() get's cleared when the $user_email !== $old_user_data->user_email comparison fails.
This is because $old_user_data is the "clean" data from the database, however wp_update_user() calls add_magic_quotes() on the user data it passes, causing apostrophes in email addresses to be slashed.

Process fails silently as there is no error when $data['user_activation_key'] is cleared in this flow, even though it is required for the forgot password system to function.

To replicate - register a user with an apostrophe in their email, use the lost password system from wp-login.php. An email will be sent/received, but the reset link is deemed invalid as there is no user_activation_key in the db.

Patch (about to be) attached to slash email only in $old_user_data. While this fixes the bug, it does raise the question of whether get_password_reset_key() should validate that the key is created directly as wp_update_user() errors don't give the granularity to tell us.

[desrosj]

#53699 was marked as a duplicate.

[kebbet]

#58003 was marked as a duplicate.

[kebbet]

#58002 was marked as a duplicate.

[rajinsharwar]

Putting this for 6.4

Unit tests for resetting email with an apostrophe

Trac ticket: https://core.trac.wordpress.org/ticket/52529

[rajinsharwar]

Reverting the units tests, need to check further for failures.

[rajinsharwar]

As per the discussions on the Bugs Scrub of today (09/28/2023), the current patch was proposed to be tested if it was working correctly, and if it was working fine with the current upstream.

After testing the current patch, I found that the patch is working as expected, and I am able to reset the password for a user who has an apostrophe in his/her email.

@oglekler @mukesh27 Do you think we need unit tests for this scenario?

[oglekler]

@rajinsharwar you don't have an apostrophe in your unit test. I think it needs unit test, and you just need to adjust yours a bit (to add this apostrophe into the email), reopen the PR and add needs-testing. It looks like this PR is almost ready, so let's try to finish it. Thank you!

Setting a new password using the reset link is impossible for the reason that the user's email contains an apostrophe.

[fnpen]

I added the fix and test which covers the change, but I found the new issues, which appear in the user editing form. But it's a separate problem another part of the code.

[rajinsharwar]

Hi @fnpen, thank you so much for your unit tests :)

On the thing you mentioned about the errors that are appearing in the user editing form, would you mind sharing a screenshot or reference of the error?

[nicolefurlan]

@rajinsharwar do you mind if I add you as the owner of this ticket so that you can usher it through and make sure it gets addressed? :)

[rajinsharwar]

Hi @nicolefurlan, sure no prob, I will assign it to myself.

[nicolefurlan]

This ticket was discussed in today's bug scrub.

@fnpen could you create another ticket with your findings regarding the user editing form?

Bumping this to 6.5. @rajinsharwar if you feel that you can get this tested and committed in time, feel free to move it back to 6.4!

Props @hellofromTonya and @oglekler

[rajinsharwar]

The current patch of ​https://github.com/WordPress/wordpress-develop/pull/5432 looks good! If we can get some test reports on this, we can get this merged before Beta 1.

[swissspidy]

In 57711:

Login and Registration: Slash email address when updating an existing user.

Addresses an issue with password reset keys when the email address contains special characters such as apostrophes.

Props emirpprime, rajinsharwar, fnpen, hellofromTonya, oglekler, nicolefurlan.
Fixes #52529.