Login and Registration: Check that $_POST value is a string in retrieve_password().

This prevents a fatal error from `trim()` if an array is passed instead.

Follow-up to [6643], [19056], [41782], [50129], [50140], [59595].

Props leedxw, dilipbheda, mukesh27, SergeyBiryukov.
Fixes #63433.

git-svn-id: https://develop.svn.wordpress.org/trunk@60240 602fd350-edb4-49c9-b593-d223f7449a82

Author: SergeyBiryukov

src/wp-includes/user.php

@@ -3172,7 +3172,7 @@ function retrieve_password( $user_login = '' ) {
 	$user_data = false;
 
 	// Use the passed $user_login if available, otherwise use $_POST['user_login'].
-	if ( ! $user_login && ! empty( $_POST['user_login'] ) ) {
+	if ( ! $user_login && ! empty( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
 		$user_login = $_POST['user_login'];
 	}
 

tests/phpunit/tests/user/retrievePassword.php

@@ -87,4 +87,23 @@ public function test_retrieve_password_should_fetch_user_by_login_if_not_found_b
 	public function test_retrieve_password_does_not_throw_deprecation_notice_with_default_parameters() {
 		$this->assertWPError( retrieve_password() );
 	}
+
+	/**
+	 * Tests that a fatal error is not thrown when the login passed via `$_POST`
+	 * is an array instead of a string.
+	 *
+	 * The message that we should not see:
+	 * `TypeError: trim(): Argument #1 ($string) must be of type string, array given`.
+	 *
+	 * @ticket 62794
+	 */
+	public function test_retrieve_password_does_not_throw_fatal_error_with_array_parameters() {
+		$_POST['user_login'] = array( 'example' );
+
+		$error = retrieve_password();
+		$this->assertWPError( $error, 'The result should be an instance of WP_Error.' );
+
+		$error_codes = $error->get_error_codes();
+		$this->assertContains( 'empty_username', $error_codes, 'The "empty_username" error code should be present.' );
+	}
 }