WordPress.org
Get WordPress

Make WordPress Core

Ticket #13655: stripslash-passwords-take-2.patch

File stripslash-passwords-take-2.patch, 2.5 KB (added by johanee, 14 years ago)

Approach 2, defer stripslash as long as possible

  • wp-includes/registration.php

     
    113113        } else {
    114114                $update = false;
    115115                // Hash the password
    116                 $user_pass = wp_hash_password($user_pass);
     116                $user_pass = wp_hash_password(stripslashes($user_pass));
    117117        }
    118118
    119119        $user_login = sanitize_user($user_login, true);
     
    267267        // If password is changing, hash it now.
    268268        if ( ! empty($userdata['user_pass']) ) {
    269269                $plaintext_pass = $userdata['user_pass'];
    270                 $userdata['user_pass'] = wp_hash_password($userdata['user_pass']);
     270                $userdata['user_pass'] = wp_hash_password(stripslashes($userdata['user_pass']));
    271271        }
    272272
    273273        wp_cache_delete($user[ 'user_email' ], 'useremail');

  • wp-includes/pluggable.php

     
    14591459function wp_check_password($password, $hash, $user_id = '') {
    14601460        global $wp_hasher;
    14611461
    1462         // If the hash is still md5...
     1462        /*
     1463         * For a long time WordPress did not stripslash() passwords correctly.
     1464         * To handle these password hashes we must check against slashed
     1465         * passwords and update on match.
     1466         */
     1467        $slashed_password = $password;
     1468        $password = stripslashes($password);
     1469
     1470        // If the hash is still md5 (as well as not stripslashed)
    14631471        if ( strlen($hash) <= 32 ) {
    1464                 $check = ( $hash == md5($password) );
     1472                $check = ( $hash == md5($slashed_password) );
    14651473                if ( $check && $user_id ) {
    14661474                        // Rehash using new hash.
    1467                         wp_set_password($password, $user_id);
     1475                        wp_set_password($slashed_password, $user_id);
    14681476                        $hash = wp_hash_password($password);
    14691477                }
    14701478
     
    14811489
    14821490        $check = $wp_hasher->CheckPassword($password, $hash);
    14831491
     1492        if ( !$check && $user_id ) {
     1493                $check = $wp_hasher->CheckPassword($slashed_password, $hash);
     1494                if ( $check  ) {
     1495                        // Rehash with correct password
     1496                        wp_set_password($slashed_password, $user_id);
     1497                        $hash = wp_hash_password($password);
     1498                }
     1499        }
     1500
    14841501        return apply_filters('check_password', $check, $password, $hash, $user_id);
    14851502}
    14861503endif;
     
    15761593function wp_set_password( $password, $user_id ) {
    15771594        global $wpdb;
    15781595
    1579         $hash = wp_hash_password($password);
     1596        $hash = wp_hash_password(stripslashes($password));
    15801597        $wpdb->update($wpdb->users, array('user_pass' => $hash, 'user_activation_key' => ''), array('ID' => $user_id) );
    15811598
    15821599        wp_cache_delete($user_id, 'users');