Ticket #7197 (closed defect (bug): duplicate)

Opened 4 years ago

Last modified 3 years ago

With magic_quotes_gpc on you can't change password to anything with " or ' inside.

Reported by: sesee Owned by: anonymous
Priority: normal Milestone:
Component: Administration Version: 2.5.1
Severity: normal Keywords: needs-patch
Cc:

Description

If magic_quotes_gpc are on, user cannot change password to something having a " or ' inside. When submitting, magic_quotes automatically quotes " to \", and user gets and error: ERROR: Passwords may not contain the character "\". Although the password strength hint says: Hint: Use upper and lower case characters, numbers and symbols like !"?$%&( in your password.

So, there are two solutions:

  1. remove '"' from hint which tells that you can use that kind of a password
  2. if magic_quotes_gpc are on - stripslahes() the password ( it will be hashed anyway, so no harm to the database ).

Patch for solution #2 included.

Attachments

wp-patch-quotes.diff Download (1.2 KB) - added by sesee 4 years ago.
no_magic_quotes_on_passwords.patch Download (1.9 KB) - added by mystyman 3 years ago.
re-based to revision 11274

Change History

sesee4 years ago

comment:1   ryan4 years ago

  • Milestone changed from 2.5.2 to 2.9

Milestone 2.5.2 deleted

comment:2   mystyman3 years ago

  • Keywords has-patch, needs-testing added

I'm currently running svn r8647 from Aug 14th. It appears that you can not use passwords with these characters in it even with magic_quotes_gpc off.

In wp-settings.php the slashes are already stripped off if magic_quotes_gpc on, from lines 481 - 485 

if ( get_magic_quotes_gpc() ) {
	$_GET    = stripslashes_deep($_GET   );
	$_POST   = stripslashes_deep($_POST  );
	$_COOKIE = stripslashes_deep($_COOKIE);
}

However just after that slashes are added back in all cases (magic_quotes_gpc on or off) 

$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

add_magic_quotes just calls function $wpdb->escape which at this time just calls the php function addslashes

I am uploading a patch that alters the add_magic_quotes function to have a second optional arg 'donottouch' array which hold the names of keys to NOT apply $wpdb->escape too. Currently I'm using array('pwd','pass1','pass2') when setting the $_POST var in wp-settings.

comment:3   mystyman3 years ago

updated patch, removed a few lines in wp-admin/includes/user.php that also prevented "\" from being used in passwords. and rebased to svn r8653

mystyman3 years ago

re-based to revision 11274

comment:4   Denis-de-Bernardy3 years ago

  • Keywords needs-patch added; has-patch, needs-testing removed

please see #8866, which got fixed today, and bump this to 2.8 with an updated patch if this is still current in today's trunk.

comment:5   Denis-de-Bernardy3 years ago

if the ticket is no longer valid, please close it as fixed.

comment:6   ryan3 years ago

  • Status changed from new to closed
  • Resolution set to duplicate
  • Milestone 2.9 deleted
Note: See TracTickets for help on using tickets.