WordPress.org
Get WordPress

Make WordPress Core

Opened 17 years ago

Closed 16 years ago

#7197 closed defect (bug) (duplicate)

With magic_quotes_gpc on you can't change password to anything with " or ' inside.

Reported by: sesee's profile sesee Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5.1
Component: Administration Keywords: needs-patch
Focuses: Cc:

Description

If magic_quotes_gpc are on, user cannot change password to something having a " or ' inside.
When submitting, magic_quotes automatically quotes " to \", and user gets and error:
ERROR: Passwords may not contain the character "\".
Although the password strength hint says:
Hint: Use upper and lower case characters, numbers and symbols like !"?$%&( in your password.

So, there are two solutions:

  1. remove '"' from hint which tells that you can use that kind of a password
  2. if magic_quotes_gpc are on - stripslahes() the password ( it will be hashed anyway, so no harm to the database ).

Patch for solution #2 included.

Attachments (2)

wp-patch-quotes.diff (1.2 KB) - added by sesee 17 years ago.
no_magic_quotes_on_passwords.patch (1.9 KB) - added by mystyman 16 years ago.
re-based to revision 11274

Download all attachments as: .zip

Change History (8)

@sesee
17 years ago

#1 @ryan
17 years ago

  • Milestone changed from 2.5.2 to 2.9

Milestone 2.5.2 deleted

#2 @mystyman
17 years ago

  • Keywords has-patch needs-testing added

I'm currently running svn r8647 from Aug 14th.
It appears that you can not use passwords with these characters in it even with magic_quotes_gpc off.

In wp-settings.php the slashes are already stripped off if magic_quotes_gpc on, from lines 481 - 485

if ( get_magic_quotes_gpc() ) {
	$_GET    = stripslashes_deep($_GET   );
	$_POST   = stripslashes_deep($_POST  );
	$_COOKIE = stripslashes_deep($_COOKIE);
}

However just after that slashes are added back in all cases (magic_quotes_gpc on or off)

$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

add_magic_quotes just calls function $wpdb->escape which at this time just calls the php function addslashes

I am uploading a patch that alters the add_magic_quotes function to have a second optional arg 'donottouch' array which hold the names of keys to NOT apply $wpdb->escape too. Currently I'm using array('pwd','pass1','pass2') when setting the $_POST var in wp-settings.

#3 @mystyman
17 years ago

updated patch, removed a few lines in wp-admin/includes/user.php that also prevented "\" from being used in passwords. and rebased to svn r8653

@mystyman
16 years ago

re-based to revision 11274

#4 @Denis-de-Bernardy
16 years ago

  • Keywords needs-patch added; has-patch needs-testing removed

please see #8866, which got fixed today, and bump this to 2.8 with an updated patch if this is still current in today's trunk.

#5 @Denis-de-Bernardy
16 years ago

if the ticket is no longer valid, please close it as fixed.

#6 @ryan
16 years ago

  • Milestone 2.9 deleted
  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.