From 31105be6c76453424682af2cac32536a8886d45b Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Wed, 6 Aug 2014 02:16:51 +0000
Subject: [PATCH] Avoid PHP notices in wp-login.php if password reset cookie is
 not set.

props mdawaffe.
see #29060.

git-svn-id: https://develop.svn.wordpress.org/trunk@29381 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-login.php | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/wp-login.php b/src/wp-login.php
index bbf671ec71..b87be1bc8d 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -568,13 +568,16 @@ case 'rp' :
 		exit;
 	}
 
-	list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
+	if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
+		list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
+		$user = check_password_reset_key( $rp_key, $rp_login );
+	} else {
+		$user = false;
+	}
 
-	$user = check_password_reset_key( $rp_key, $rp_login );
-
-	if ( is_wp_error($user) ) {
+	if ( ! $user || is_wp_error( $user ) ) {
 		setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
-		if ( $user->get_error_code() === 'expired_key' )
+		if ( $user && $user->get_error_code() === 'expired_key' )
 			wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
 		else
 			wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );