[SRM] wordpress update for lenny

[Giuseppe Iuculano <giuseppe@iuculano.it>]

Hi,

I'd like to fix an annoying bug (#519798) in the wordpress password reset
procedure in lenny.
debdiff attached.

Cheers,
Giuseppe.

diffstat for wordpress_2.5.1-11+lenny1 wordpress_2.5.1-11+lenny2

 debian/patches/017lostpassword.dpatch |   39 ++++++++++++++++++++++++++++++++++
 wordpress-2.5.1/debian/changelog      |    7 ++++++
 wordpress-2.5.1/debian/patches/00list |    1 
 3 files changed, 47 insertions(+)

diff -u wordpress-2.5.1/debian/changelog wordpress-2.5.1/debian/changelog
--- wordpress-2.5.1/debian/changelog
+++ wordpress-2.5.1/debian/changelog
@@ -1,3 +1,10 @@
+wordpress (2.5.1-11+lenny2) stable; urgency=low
+
+  * [1dd14e6] Fixed a bug in the password reset procedure, users are now
+    able to reset their passwords (Closes: #519798)
+
+ -- Giuseppe Iuculano <giuseppe@iuculano.it>  Tue, 25 Aug 2009 12:44:20 +0200
+
 wordpress (2.5.1-11+lenny1) stable-security; urgency=high
 
   * [27cfd35] Fixed CVE-2008-6762: Force redirect after an upgrade
diff -u wordpress-2.5.1/debian/patches/00list wordpress-2.5.1/debian/patches/00list
--- wordpress-2.5.1/debian/patches/00list
+++ wordpress-2.5.1/debian/patches/00list
@@ -16,0 +17 @@
+017lostpassword.dpatch
only in patch2:
unchanged:
--- wordpress-2.5.1.orig/debian/patches/017lostpassword.dpatch
+++ wordpress-2.5.1/debian/patches/017lostpassword.dpatch
@@ -0,0 +1,39 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 017lostpassword.dpatch by Giuseppe Iuculano <giuseppe@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixed a bug in password reset procedure, users are now able to reset their passwords (Closes: #519798)
+
+@DPATCH@
+diff -urNad wordpress~/wp-includes/pluggable.php wordpress/wp-includes/pluggable.php
+--- wordpress~/wp-includes/pluggable.php	2009-08-25 12:13:53.000000000 +0200
++++ wordpress/wp-includes/pluggable.php	2009-08-25 12:26:50.000000000 +0200
+@@ -1168,8 +1168,11 @@
+  *
+  * @return string The random password
+  **/
+-function wp_generate_password($length = 12) {
+-	$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()";
++function wp_generate_password($length = 12, $special_chars = true) {
++	$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
++	if ( $special_chars )
++		$chars .= '!@#$%^&*()';
++
+ 	$password = '';
+ 	for ( $i = 0; $i < $length; $i++ )
+ 		$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
+diff -urNad wordpress~/wp-login.php wordpress/wp-login.php
+--- wordpress~/wp-login.php	2009-08-25 12:20:09.000000000 +0200
++++ wordpress/wp-login.php	2009-08-25 12:27:23.000000000 +0200
+@@ -91,9 +91,9 @@
+ 	do_action('retrieve_password', $user_login);
+ 
+ 	$key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
+-	if ( empty($key) ) {
++	if ( empty($key) || preg_match('/[^a-z0-9]/i',$key) != 0) {
+ 		// Generate something random for a key...
+-		$key = wp_generate_password();
++		$key = wp_generate_password(20, false);
+ 		do_action('retrieve_password_key', $user_login, $key);
+ 		// Now insert the new md5 key into the db
+ 		$wpdb->query($wpdb->prepare("UPDATE $wpdb->users SET user_activation_key = %s WHERE user_login = %s", $key, $user_login));

Attachment: signature.asc
Description: OpenPGP digital signature