Context Navigation

Back to Ticket #5367

Ticket #5367: auth.diff

File auth.diff, 7.1 KB (added by westi, 5 years ago)
First pass patch for switching to auth cookie

Line
1	Index: wp-admin/includes/misc.php
2	===================================================================
3	--- wp-admin/includes/misc.php (revision 6349)
4	+++ wp-admin/includes/misc.php (working copy)
5	@@ -140,7 +140,8 @@
6	// Clear cookies for old paths.
7	wp_clearcookie();
8	// Set cookies for new paths.
9	- wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));
10	+ // TODO: Review this - suspect the user will have to log in again.
11	+ //wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));
12	}
13
14	add_action( 'update_option_home', 'update_home_siteurl', 10, 2 );
15	Index: wp-includes/pluggable.php
16	===================================================================
17	--- wp-includes/pluggable.php (revision 6349)
18	+++ wp-includes/pluggable.php (working copy)
19	@@ -46,8 +46,8 @@
20	if ( ! empty($current_user) )
21	return;
22
23	- if ( empty($_COOKIE[USER_COOKIE]) \|\| empty($_COOKIE[PASS_COOKIE]) \|\|
24	- !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) {
25	+ if ( empty($_COOKIE[USER_COOKIE]) \|\| empty($_COOKIE[AUTH_COOKIE]) \|\|
26	+ !wp_validatecookie($_COOKIE[USER_COOKIE], $_COOKIE[AUTH_COOKIE]) ) {
27	wp_set_current_user(0);
28	return false;
29	}
30	@@ -293,29 +293,21 @@
31	endif;
32
33	if ( !function_exists('wp_login') ) :
34	-function wp_login($username, $password, $already_md5 = false) {
35	- global $wpdb, $error;
36	+function wp_login($username, $password, $deprecated) {
37	+ global $error;
38
39	- $username = sanitize_user($username);
40	-
41	- if ( '' == $username )
42	- return false;
43	-
44	if ( '' == $password ) {
45	$error = __('<strong>ERROR</strong>: The password field is empty.');
46	return false;
47	}
48
49	$login = get_userdatabylogin($username);
50	- //$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
51
52	if (!$login) {
53	$error = __('<strong>ERROR</strong>: Invalid username.');
54	return false;
55	} else {
56	- // If the password is already_md5, it has been double hashed.
57	- // Otherwise, it is plain text.
58	- if ( ($already_md5 && md5($login->user_pass) == $password) \|\| ($login->user_login == $username && $login->user_pass == md5($password)) ) {
59	+ if ( ($login->user_login == $username && $login->user_pass == md5($password)) ) {
60	return true;
61	} else {
62	$error = __('<strong>ERROR</strong>: Incorrect password.');
63	@@ -340,11 +332,11 @@
64	function auth_redirect() {
65	// Checks if a user is logged in, if not redirects them to the login page
66	if ( (!empty($_COOKIE[USER_COOKIE]) &&
67	- !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) \|\|
68	+ !wp_validatecookie($_COOKIE[USER_COOKIE], $_COOKIE[AUTH_COOKIE])) \|\|
69	(empty($_COOKIE[USER_COOKIE])) ) {
70	nocache_headers();
71
72	- wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
73	+ wp_redirect(get_option('siteurl') . '/wp-login.php?auth=expired&redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
74	exit();
75	}
76	}
77	@@ -376,11 +368,11 @@
78	foreach ( $cookie as $tasty ) {
79	if ( false !== strpos($tasty, USER_COOKIE) )
80	$user = substr(strstr($tasty, '='), 1);
81	- if ( false !== strpos($tasty, PASS_COOKIE) )
82	+ if ( false !== strpos($tasty, AUTH_COOKIE) )
83	$pass = substr(strstr($tasty, '='), 1);
84	}
85
86	- if ( $current_name != $user \|\| !wp_login( $user, $pass, true ) )
87	+ if ( $current_name != $user \|\| !wp_validatecookie( $user, $pass ) )
88	die('-1');
89	}
90	do_action('check_ajax_referer');
91	@@ -473,9 +465,12 @@
92
93	if ( !function_exists('wp_setcookie') ) :
94	function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
95	- if ( !$already_md5 )
96	- $password = md5( md5($password) ); // Double hash the password in the cookie.
97
98	+ $user = get_userdatabylogin($username);
99	+ //Generate a new authentication cookie.
100	+ $auth = wp_hash(wp_salt() . $username . uniqid( microtime() ));
101	+ update_usermeta($user->ID, 'wp_authentication_cookie', wp_hash($auth) ) ;
102	+
103	if ( empty($home) )
104	$cookiepath = COOKIEPATH;
105	else
106	@@ -495,11 +490,13 @@
107	$expire = 0;
108
109	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);
110	- setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
111	+ setcookie(AUTH_COOKIE, $auth, $expire, $cookiepath, COOKIE_DOMAIN);
112	+ //setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
113
114	if ( $cookiepath != $sitecookiepath ) {
115	setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);
116	- setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
117	+ setcookie(AUTH_COOKIE, $auth, $expire, $sitecookiepath, COOKIE_DOMAIN);
118	+ //setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
119	}
120	}
121	endif;
122	@@ -508,8 +505,10 @@
123	function wp_clearcookie() {
124	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
125	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
126	+ setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
127	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
128	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
129	+ setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
130	}
131	endif;
132
133	@@ -700,4 +699,32 @@
134	}
135	endif;
136
137	+if ( !function_exists('wp_validatecookie') ) :
138	+function wp_validatecookie($username, $auth_cookie) {
139	+ global $error;
140	+
141	+ $login = get_userdatabylogin($username);
142	+
143	+ if (!$login) {
144	+ $error = __('<strong>ERROR</strong>: Invalid username.');
145	+ return false;
146	+ } else {
147	+ $auth = get_usermeta($login->ID, "wp_authentication_cookie" );
148	+ if ( ( '' != $auth ) && ($login->user_login == $username ) && ( wp_hash( $auth_cookie ) == $auth ) ) {
149	+ return true;
150	+ } else {
151	+ wp_clearcookie();
152	+ $error = __('<strong>ERROR</strong>: Authentication Cookie Invalid.');
153	+ return false;
154	+ }
155	+ }
156	+}
157	+endif;
158	+
159	+
160	+
161	+
162	+
163	+
164	+
165	?>
166	Index: wp-login.php
167	===================================================================
168	--- wp-login.php (revision 6349)
169	+++ wp-login.php (working copy)
170	@@ -345,6 +345,7 @@
171	elseif ( 'confirm' == $_GET['checkemail'] ) $errors['confirm'] = __('Check your e-mail for the confirmation link.');
172	elseif ( 'newpass' == $_GET['checkemail'] ) $errors['newpass'] = __('Check your e-mail for your new password.');
173	elseif ( 'registered' == $_GET['checkemail'] ) $errors['registered'] = __('Registration complete. Please check your e-mail.');
174	+ elseif ( 'expired' == $_GET['auth'] ) $errors['auth'] = __('Your cookie has expired please log back in.');
175
176	login_header(__('Login'));
177	?>
178	Index: wp-settings.php
179	===================================================================
180	--- wp-settings.php (revision 6349)
181	+++ wp-settings.php (working copy)
182	@@ -189,7 +189,9 @@
183	define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH);
184	if ( !defined('PASS_COOKIE') )
185	define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH);
186	-if ( !defined('TEST_COOKIE') )
187	+if ( !defined('AUTH_COOKIE') )
188	+ define('AUTH_COOKIE', 'wordpressauth_'. COOKIEHASH);
189	+ if ( !defined('TEST_COOKIE') )
190	define('TEST_COOKIE', 'wordpress_test_cookie');
191	if ( !defined('COOKIEPATH') )
192	define('COOKIEPATH', preg_replace('\|https?://[^/]+\|i', '', get_option('home') . '/' ) );

Download in other formats:

Original Format