CVE-2017-8385

@@ -512,28 +512,7 @@ public function sendPasswordResetEmail(UserModel $user)
 	 */
 	public function getEmailVerifyUrl(UserModel $user)
 	{
-		$userRecord = $this->_getUserRecordById($user->id);
-		$unhashedVerificationCode = $this->_setVerificationCodeOnUserRecord($userRecord);
-		$userRecord->save();
-
-		if ($user->can('accessCp'))
-		{
-			$url = UrlHelper::getActionUrl('users/verifyemail', array('code' => $unhashedVerificationCode, 'id' => $userRecord->uid), craft()->request->isSecureConnection() ? 'https' : 'http');
-		}
-		else
-		{
-			// We want to hide the CP trigger if they don't have access to the CP.
-			$path = craft()->config->get('actionTrigger').'/users/verifyemail';
-			$params = array(
-				'code' => $unhashedVerificationCode,
-				'id' => $userRecord->uid
-			);
-
-			$locale = $user->preferredLocale ?: craft()->i18n->getPrimarySiteLocaleId();
-			$url = UrlHelper::getSiteUrl($path, $params, UrlHelper::getProtocolForTokenizedUrl(), $locale);
-		}
-
-		return $url;
+		return $this->_getUserUrl($user, 'verifyemail');
 	}
 
 	/**
@@ -545,27 +524,7 @@ public function getEmailVerifyUrl(UserModel $user)
 	 */
 	public function getPasswordResetUrl(UserModel $user)
 	{
-		$userRecord = $this->_getUserRecordById($user->id);
-		$unhashedVerificationCode = $this->_setVerificationCodeOnUserRecord($userRecord);
-		$userRecord->save();
-
-		$path = craft()->config->get('actionTrigger').'/users/setpassword';
-		$params = array(
-			'code' => $unhashedVerificationCode,
-			'id' => $userRecord->uid
-		);
-
-		$scheme = UrlHelper::getProtocolForTokenizedUrl();
-
-		if ($user->can('accessCp'))
-		{
-			return UrlHelper::getCpUrl($path, $params, $scheme);
-		}
-		else
-		{
-			$locale = $user->preferredLocale ?: craft()->i18n->getPrimarySiteLocaleId();
-			return UrlHelper::getSiteUrl($path, $params, $scheme, $locale);
-		}
+		return $this->_getUserUrl($user, 'setpassword');
 	}
 
 	/**
@@ -1694,4 +1653,44 @@ private function _setPasswordOnUserRecord(UserModel $user, UserRecord $userRecor
 
 		return $success;
 	}
+
+	/**
+	 * Sets a new verification code on a user, and returns their new verification URL
+	 *
+	 * @param UserModel $user   The user that should get the new Password Reset URL
+	 * @param string    $action The UsersController action that the URL should point to
+	 *
+	 * @return string The new Password Reset URL.
+	 * @see getPasswordResetUrl()
+	 * @see getEmailVerifyUrl()
+	 */
+	private function _getUserUrl(UserModel $user, $action)
+	{
+		$userRecord = $this->_getUserRecordById($user->id);
+		$unhashedVerificationCode = $this->_setVerificationCodeOnUserRecord($userRecord);
+		$userRecord->save();
+
+		$path = craft()->config->get('actionTrigger').'/users/'.$action;
+		$params = array(
+			'code' => $unhashedVerificationCode,
+			'id' => $userRecord->uid
+		);
+
+		$scheme = UrlHelper::getProtocolForTokenizedUrl();
+
+		if ($user->can('accessCp'))
+		{
+			// Only use getCpUrl() if the base CP URL has been explicitly set,
+			// so UrlHelper won't use HTTP_HOST
+			if (craft()->config->get('baseCpUrl'))
+			{
+				return UrlHelper::getCpUrl($path, $params, $scheme);
+			}
+
+			$path = craft()->config->get('cpTrigger').'/'.$path;
+		}
+
+		$locale = $user->preferredLocale ?: craft()->i18n->getPrimarySiteLocaleId();
+		return UrlHelper::getSiteUrl($path, $params, $scheme, $locale);
+	}
 }