Ticket #13655: stripslash-passwords-take-1-fixed.patch
| File stripslash-passwords-take-1-fixed.patch, 4.4 KB (added by , 14 years ago) |
|---|
-
wp-login.php
461 461 if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] ) { 462 462 $errors = new WP_Error('password_reset_mismatch', __('The passwords do not match.')); 463 463 } elseif ( isset($_POST['pass1']) && !empty($_POST['pass1']) ) { 464 reset_password($user, $_POST['pass1']);464 reset_password($user, stripslashes($_POST['pass1'])); 465 465 login_header(__('Password Reset'), '<p class="message reset-pass">' . __('Your password has been reset.') . ' <a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a></p>'); 466 466 login_footer(); 467 467 exit; -
wp-includes/user.php
27 27 if ( ! empty($_POST['log']) ) 28 28 $credentials['user_login'] = $_POST['log']; 29 29 if ( ! empty($_POST['pwd']) ) 30 $credentials['user_password'] = $_POST['pwd'];30 $credentials['user_password'] = stripslashes($_POST['pwd']); 31 31 if ( ! empty($_POST['rememberme']) ) 32 32 $credentials['remember'] = $_POST['rememberme']; 33 33 } -
wp-includes/pluggable.php
1459 1459 function wp_check_password($password, $hash, $user_id = '') { 1460 1460 global $wp_hasher; 1461 1461 1462 /* 1463 * For a long time WordPress did not stripslash() passwords in $_POST. 1464 * To handle password hashes created during that time we must therefore 1465 * also check against addslashed passwords and update hash on match. 1466 */ 1467 1462 1468 // If the hash is still md5... 1463 1469 if ( strlen($hash) <= 32 ) { 1464 1470 $check = ( $hash == md5($password) ); 1471 if (!$check) 1472 $check = ( $hash == md5(addslashes($password)) ); 1465 1473 if ( $check && $user_id ) { 1466 1474 // Rehash using new hash. 1467 1475 wp_set_password($password, $user_id); … … 1481 1489 1482 1490 $check = $wp_hasher->CheckPassword($password, $hash); 1483 1491 1492 // Also check using slashed password, and migrate if necessary 1493 if ( !$check && $user_id ) { 1494 $check = $wp_hasher->CheckPassword(addslashes($password), $hash); 1495 if ( $check ) { 1496 // Rehash with correct password 1497 wp_set_password($password, $user_id); 1498 $hash = wp_hash_password($password); 1499 } 1500 } 1501 1484 1502 return apply_filters('check_password', $check, $password, $hash, $user_id); 1485 1503 } 1486 1504 endif; -
wp-admin/includes/user.php
70 70 71 71 $pass1 = $pass2 = ''; 72 72 if ( isset( $_POST['pass1'] )) 73 $pass1 = $_POST['pass1'];73 $pass1 = stripslashes($_POST['pass1']); 74 74 if ( isset( $_POST['pass2'] )) 75 $pass2 = $_POST['pass2'];75 $pass2 = stripslashes($_POST['pass2']); 76 76 77 77 if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { 78 78 $new_role = sanitize_text_field( $_POST['role'] ); … … 148 148 } 149 149 150 150 /* Check for "\" in password */ 151 if ( false !== strpos( stripslashes($pass1), "\\" ) )151 if ( false !== strpos( $pass1, "\\" ) ) 152 152 $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) ); 153 153 154 154 /* checking the password has been typed twice the same */ -
wp-admin/install.php
183 183 // Fill in the data we gathered 184 184 $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : ''; 185 185 $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin'; 186 $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password']: '';187 $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2']: '';186 $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : ''; 187 $admin_password_check = isset($_POST['admin_password2']) ? trim( stripslashes( $_POST['admin_password2'] ) ) : ''; 188 188 $admin_email = isset( $_POST['admin_email'] ) ?trim( stripslashes( $_POST['admin_email'] ) ) : ''; 189 189 $public = isset( $_POST['blog_public'] ) ? (int) $_POST['blog_public'] : 0; 190 190 // check e-mail address