Wordpress 2.8.4

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

diff --git a/readme.html b/readme.html
index 329e330cb50b895fa68fe9c3eb7857dec5afc061..95e1c1720bf20cbcc7927c7a932b7ae28842139d 100644 (file)
--- a/readme.html
+++ b/readme.html
@@ -8,7 +8,7 @@
 <body>
 <h1 id="logo" style="text-align: center">
        <img alt="WordPress" src="wp-admin/images/wordpress-logo.png" />
-       <br /> Version 2.8.3
+       <br /> Version 2.8.4
 </h1>
 <p style="text-align: center">Semantic Personal Publishing Platform</p>
 
@@ -29,7 +29,7 @@
 
 <h1>Upgrading</h1>
 <p>Before you upgrade anything, make sure you have backup copies of any files you may have modified such as <code>index.php</code>.</p>
-<h2>Upgrading from any previous WordPress to 2.8.3:</h2>
+<h2>Upgrading from any previous WordPress to 2.8.4:</h2>
 <ol>
        <li>Delete your old WP files, saving ones you've modified.</li>
        <li>Upload the new files.</li>

diff --git a/wp-includes/version.php b/wp-includes/version.php
index 05e585cbbe28198c0a44b1736fac3408a488faa5..22b86360b1408c0b7a8b6f0d391b982023f68bd7 100644 (file)
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -8,7 +8,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '2.8.3';
+$wp_version = '2.8.4';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

diff --git a/wp-login.php b/wp-login.php
index 62898123f2cb2f77ae85050225f1c329671c4565..5378204d553d2d4b66cd221ad42404642cf8da22 100644 (file)
--- a/wp-login.php
+++ b/wp-login.php
@@ -161,7 +161,7 @@ function retrieve_password() {
        $message .= get_option('siteurl') . "\r\n\r\n";
        $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
        $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
-       $message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";
+       $message .= site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "\r\n";
 
        $title = sprintf(__('[%s] Password Reset'), get_option('blogname'));
 
@@ -182,15 +182,18 @@ function retrieve_password() {
  * @param string $key Hash to validate sending user's password
  * @return bool|WP_Error
  */
-function reset_password($key) {
+function reset_password($key, $login) {
        global $wpdb;
 
        $key = preg_replace('/[^a-z0-9]/i', '', $key);
 
-       if ( empty( $key ) )
+       if ( empty( $key ) || !is_string( $key ) )
                return new WP_Error('invalid_key', __('Invalid key'));
 
-       $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
+       if ( empty($login) || !is_string($login) )
+               return new WP_Error('invalid_key', __('Invalid key'));
+
+       $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s AND user_login = %s", $key, $login));
        if ( empty( $user ) )
                return new WP_Error('invalid_key', __('Invalid key'));
 
@@ -370,7 +373,7 @@ break;
 
 case 'resetpass' :
 case 'rp' :
-       $errors = reset_password($_GET['key']);
+       $errors = reset_password($_GET['key'], $_GET['login']);
 
        if ( ! is_wp_error($errors) ) {
                wp_redirect('wp-login.php?checkemail=newpass');