Opened 4 years ago
Closed 3 years ago
#10453 closed defect (bug) (worksforme)
authentication errors from plugins sometimes get suppressed
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Security | Version: | 2.8.1 |
| Severity: | normal | Keywords: | reporter-feedback |
| Cc: | wnorris |
Description
I've noticed that the new authentication code in WP 2.8 sometimes suppresses error messages from plugins which implement the 'authenticate' hook. This happens on wp-login.php when both the username and password fields are left empty.
The included patch does two things:
- modifies wp_authenticate_username_password to maintain existing WP_Error object if present. Also changes how wp_signon clears out the 'empty_username' and 'empty_password' errors, to ensure that any others are maintained (this last part could be made cleaner if WP_Error exposed a remove method)
- modifies the 'login_errors' and 'login_messages' filter calls in wp-login.php to pass the raw $wp_errors object as an optional second parameter
Attachments (2)
Change History (6)
miqrogroove — 3 years ago
comment:2
miqrogroove — 3 years ago
wnorris, I don't think you've quite made the case for this patch.
Also changes how wp_signon clears out the 'empty_username' and 'empty_password' errors, to ensure that any others are maintained
As I understand the existing code, WordPress does not clear out the empty_username and empty_password items if other errors are present. This is made fairly obvious by the patch's attempt to unset errors in the context of an authentication failure. If you think there's a sane way to do that, it needs to be explained and documented.
comment:3
miqrogroove — 3 years ago
- Keywords reporter-feedback added; authentication login plugins has-patch removed
renamed file by wnorris - for visibility