From 27e7c718f6bc04d25d9db77d4a2bec8f7b4c317f Mon Sep 17 00:00:00 2001
From: Helen Hou-Sandi <helen@git.wordpress.org>
Date: Tue, 20 Oct 2020 20:01:04 +0000
Subject: [PATCH] Privacy: Add requester IP to password reset emails.

Props garrett-eclipse, bridgetwillard, isharis, ocean90.
Fixes #43856.


git-svn-id: https://develop.svn.wordpress.org/trunk@49255 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../includes/class-wp-privacy-policy-content.php    |  3 +++
 src/wp-login.php                                    | 13 +++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/includes/class-wp-privacy-policy-content.php b/src/wp-admin/includes/class-wp-privacy-policy-content.php
index dd704bdecf..15d6518601 100644
--- a/src/wp-admin/includes/class-wp-privacy-policy-content.php
+++ b/src/wp-admin/includes/class-wp-privacy-policy-content.php
@@ -584,6 +584,9 @@ final class WP_Privacy_Policy_Content {
 			$strings[] = '<p class="privacy-policy-tutorial">' . __( 'By default WordPress does not share any personal data with anyone.' ) . '</p>';
 		}
 
+		/* translators: Default privacy policy text. */
+		$strings[] = '<p>' . $suggested_text . __( 'If you request a password reset, your IP address will be included in the reset email.' ) . '</p>';
+
 		/* translators: Default privacy policy heading. */
 		$strings[] = '<h2>' . __( 'How long we retain your data' ) . '</h2>';
 
diff --git a/src/wp-login.php b/src/wp-login.php
index 143b3e1da0..7c33f9da32 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -432,9 +432,18 @@ function retrieve_password() {
 	$message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n";
 	/* translators: %s: User login. */
 	$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
-	$message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n";
+	$message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n";
 	$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
-	$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n";
+	$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n\r\n";
+
+	$requestor_ip = $_SERVER['REMOTE_ADDR'];
+	if ( $requestor_ip ) {
+		$message .= sprintf(
+			/* translators: %s: IP address of password reset requestor. */
+			__( 'This password reset request originated from the IP address %s.' ),
+			$requestor_ip
+		) . "\r\n";
+	}
 
 	/* translators: Password reset notification email subject. %s: Site title. */
 	$title = sprintf( __( '[%s] Password Reset' ), $site_name );