Password reset bug on ClassicPress Directory

Good morning.

I just registered on directory.classicpress.net and encountered an error loop in the password reset process which makes completing a new user registration impossible(sic).

Expected behavior

User receives a message reading

Someone has requested a password reset for the following account: Site Name: Directory Username: ’ . $USER . ’ If this was a mistake, ignore this email and nothing will happen. To reset your password, visit the following address: https://directory.classicpress.net/wp-login.php?action=rp&key=' . $KEY . '&login=' . $USER . '&wp_lang=en_US This password reset request originated from the IP address ’ . $IPADDRESS . '.

Current behavior

Opening the link returns the following error with a new password reset field

Error: Your password reset link appears to be invalid. Please request a new link below.

Possible solution

The error is caused by bad parsing of the &wp_lang=en_US string in the query. If it is removed, the password reset key is read as valid and the user can set a new password.

I’m guessing it’s either a translation plugin issue or an .htaccess issue.

Steps to reproduce

Provide a link to a live example, or an unambiguous set of steps to reproduce
this bug. Include code to reproduce, if relevant.

  1. Visit https://directory.classicpress.net/wp-login.php?action=lostpassword
  2. Request a new password
  3. Click on the link to reset password
  4. Make stinkface
  5. Delete &wp_lang=en_US from the URL and hit ENTER
  6. Reset password
  7. Nod in satisfaction

I can confirm this bug. There doesn’t appear to be anything in the .htaccess file doing this, and there isn’t a traditional translation plugin either. But the OS for the server has just been updated, and I’m wondering if it has something to do with that. Any ideas, @MattyRob ?

I haven’t updated the OS on that server yet. This feels familiar - like an issue discussed or addressed before.

@ElisabettaCarrara has reported password reset issues on Firefox, now that you mention it, and I just tried on Firefox too. @opendna Were you on Firefox when you experienced this?

Hmm, just tried on Android Chrome with the same result.

Confirm on Firefox several days ago; I thought it was something wrong with the email that was sent.

No sir. I was using Chrome.

@opendna and @timkaye recently the same FF bug was reported on chrome also (and probably all browsers based on its engine).

It seems browsers won’t solve it because there is a workaround (copy the link and paste it in a new tab of the same browser). I did report on FF however and their support told me it was a known issue that resurfaces from time to time.

I think I might have found an issue in the core code that would produce this error. It’s strange we are not seeing it elsewhere - but perhaps that is the presume FF issue.

Anyway, I have applied the fix manually on the directory server, please can you try again and let me know if it now works.

Unfortunately, I’m getting the same result as before.

Is that clicking the link from the email, copying and pasting into a browser or both?

Copying and pasting and clicking from some clients is working on the directory site for me.

No, that did not resolve it, but I have a new symptom to report:

  1. When the emailed link is clicked (in Gmail), I get the error.
  2. When the same link is copy/pasted, I get success.

Tested in

  1. MS-Windows:Chrome:Gmail
  2. MS-Windows:Edge:Gmail
  3. Android:Chrome:Gmail

Not tested on my own ClassicPress install yet.

For better or worse, I have reproduced this bug on my own ClassicPress installation and with Yahoo Mail.

I have also confirmed that editing the HTML inside Gmail to remove the data-saferedirecturl tag and source=gmail query will not eliminate the bug.

(edit: My error: it’s not shared with WP 6.2.2.)

I just clicked on the link; copy and pasting wouldn’t work for me because the Outlook email account to which the email is sent adds something else to the link which can’t be resolved by copying and pasting

I think there may be 2 issues here then - a cookie setting issue that I identified and fixed based on this thread. And an established issue with mail clients altering the URL structure and braking it - the latter is a much bigger challenge to fix.

1 Like

Maybe. I have just tried resetting a password on one of my CP test sites, and the password reset link was correctly configured (without the language-related string).

But in the CP Directory site email logs, I can see that the string is being included in the link. (I just tried again and it’s still happening.)

The URL attribute of wp_lang is used to set a cookie for language options, fi they are available as far as I can tell. I’ve added a line that after the cookie is set strips the wp_lang attribute from the URL and redirects.

It’s on the directory site now - does that make any difference? I’m not sure this is linked to that parameter being present but let’s test.

Unfortunately, it doesn’t make any difference.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.