WordPress.org

Make WordPress Core

Ticket #19798: 19798.2.patch

File 19798.2.patch, 2.9 KB (added by SergeyBiryukov, 6 years ago)
  • wp-includes/post-template.php

     
    12221222function get_the_password_form() {
    12231223        global $post;
    12241224        $label = 'pwbox-' . ( empty($post->ID) ? rand() : $post->ID );
    1225         $output = '<form action="' . site_url('wp-pass.php') . '" method="post">
     1225        $output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" method="post">
    12261226        <p>' . __("This post is password protected. To view it please enter your password below:") . '</p>
    12271227        <p><label for="' . $label . '">' . __("Password:") . ' <input name="post_password" id="' . $label . '" type="password" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr__("Submit") . '" /></p>
    12281228        </form>
  • wp-login.php

     
    339339        $action = 'resetpass';
    340340
    341341// validate action so as to default to the login screen
    342 if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login'), true) && false === has_filter('login_form_' . $action) )
     342if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) )
    343343        $action = 'login';
    344344
    345345nocache_headers();
     
    367367$http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
    368368switch ($action) {
    369369
     370case 'postpass' :
     371        if ( empty( $wp_hasher ) ) {
     372                require_once( ABSPATH . 'wp-includes/class-phpass.php' );
     373                // By default, use the portable hash from phpass
     374                $wp_hasher = new PasswordHash(8, true);
     375        }
     376
     377        // 10 days
     378        setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 864000, COOKIEPATH );
     379
     380        wp_safe_redirect( wp_get_referer() );
     381        exit();
     382
     383break;
     384
    370385case 'logout' :
    371386        check_admin_referer('log-out');
    372387        wp_logout();
  • wp-pass.php

     
    1 <?php
    2 /**
    3  * Creates the password cookie and redirects back to where the
    4  * visitor was before.
    5  *
    6  * @package WordPress
    7  */
    8 
    9 /** Make sure that the WordPress bootstrap has run before continuing. */
    10 require( dirname( __FILE__ ) . '/wp-load.php');
    11 
    12 if ( empty( $wp_hasher ) ) {
    13         require_once( ABSPATH . 'wp-includes/class-phpass.php');
    14         // By default, use the portable hash from phpass
    15         $wp_hasher = new PasswordHash(8, true);
    16 }
    17 
    18 // 10 days
    19 setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 864000, COOKIEPATH );
    20 
    21 wp_safe_redirect( wp_get_referer() );
    22 exit;