From c54bcc4d3938771670ab04f9e7fecc0d4ddbd787 Mon Sep 17 00:00:00 2001
From: Gary Pendergast <pento@git.wordpress.org>
Date: Thu, 24 Dec 2015 02:48:29 +0000
Subject: [PATCH] User: Don't continue checking a password reset key, if the
 hash is empty.

An empty reset key hash will never be valid, so we can skip seeing if it can be used to validate the given key, and return a failure early.

This fixes a warning in the unit tests under HHVM.

See #33926.




git-svn-id: https://develop.svn.wordpress.org/trunk@36084 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 7e83c57494..d62e5e7cf9 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -2060,6 +2060,10 @@ function check_password_reset_key($key, $login) {
 		$expiration_time = false;
 	}
 
+	if ( ! $pass_key ) {
+		return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+	}
+
 	$hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key );
 
 	if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) {