WordPress.org

Make WordPress Core

Ticket #13655: stripslash-passwords.patch

File stripslash-passwords.patch, 3.7 KB (added by johanee, 8 years ago)

Fix password handling to correctly stripslash()

  • wp-includes/user.php

     
    2727                if ( ! empty($_POST['log']) )
    2828                        $credentials['user_login'] = $_POST['log'];
    2929                if ( ! empty($_POST['pwd']) )
    30                         $credentials['user_password'] = $_POST['pwd'];
     30                        $credentials['user_password'] = stripslashes($_POST['pwd']);
    3131                if ( ! empty($_POST['rememberme']) )
    3232                        $credentials['remember'] = $_POST['rememberme'];
    3333        }
  • wp-includes/pluggable.php

     
    14601460function wp_check_password($password, $hash, $user_id = '') {
    14611461        global $wp_hasher;
    14621462
     1463        /*
     1464         * For a long time WordPress did not stripslash() passwords in $_POST.
     1465         * To handle password hashes created during that time we must therefore
     1466         * also check against addslashed passwords and update hash on match.
     1467         */
     1468
    14631469        // If the hash is still md5...
    14641470        if ( strlen($hash) <= 32 ) {
    14651471                $check = ( $hash == md5($password) );
     1472                if (!$check)
     1473                        $check = ( $hash == md5(addslashes($password)) );
    14661474                if ( $check && $user_id ) {
    14671475                        // Rehash using new hash.
    14681476                        wp_set_password($password, $user_id);
     
    14821490
    14831491        $check = $wp_hasher->CheckPassword($password, $hash);
    14841492
     1493        // Also check using slashed password, and migrate if necessary
     1494        if ( !$check && $user_id ) {
     1495                $check = $wp_hasher->CheckPassword(addslashes($password), $hash);
     1496                if ( $check  ) {
     1497                        // Rehash with correct password
     1498                        wp_set_password($password, $user_id);
     1499                        $hash = wp_hash_password($password);
     1500                }
     1501        }
     1502
    14851503        return apply_filters('check_password', $check, $password, $hash, $user_id);
    14861504}
    14871505endif;
  • wp-admin/includes/user.php

     
    7070
    7171        $pass1 = $pass2 = '';
    7272        if ( isset( $_POST['pass1'] ))
    73                 $pass1 = $_POST['pass1'];
     73                $pass1 = stripslashes($_POST['pass1']);
    7474        if ( isset( $_POST['pass2'] ))
    75                 $pass2 = $_POST['pass2'];
     75                $pass2 = stripslashes($_POST['pass2']);
    7676
    7777        if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
    7878                $new_role = sanitize_text_field( $_POST['role'] );
     
    148148        }
    149149
    150150        /* Check for "\" in password */
    151         if ( false !== strpos( stripslashes($pass1), "\\" ) )
     151        if ( false !== strpos( $pass1, "\\" ) )
    152152                $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
    153153
    154154        /* checking the password has been typed twice the same */
  • wp-admin/install.php

     
    183183                // Fill in the data we gathered
    184184                $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
    185185                $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
    186                 $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : '';
    187                 $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : '';
     186                $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';
     187                $admin_password_check = isset($_POST['admin_password2']) ? trim( stripslashes( $_POST['admin_password2'] ) ) : '';
    188188                $admin_email  = isset( $_POST['admin_email']  ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';
    189189                $public       = isset( $_POST['blog_public']  ) ? (int) $_POST['blog_public'] : 0;
    190190                // check e-mail address