Ticket #21022: 21022.4.diff
File 21022.4.diff, 14.0 KB (added by , 6 years ago) |
---|
-
src/wp-includes/class-wp-recovery-mode-key-service.php
37 37 * 38 38 * @since 5.2.0 39 39 * 40 * @global PasswordHash $wp_hasher41 *42 40 * @param string $token A token generated by {@see generate_recovery_mode_token()}. 43 41 * @return string $key Recovery mode key. 44 42 */ 45 43 public function generate_and_store_recovery_mode_key( $token ) { 46 44 47 global $wp_hasher;48 49 45 $key = wp_generate_password( 22, false ); 50 46 51 if ( empty( $wp_hasher ) ) { 52 require_once ABSPATH . WPINC . '/class-phpass.php'; 53 $wp_hasher = new PasswordHash( 8, true ); 54 } 47 $hashed = password_hash( $key, PASSWORD_BCRYPT ); 55 48 56 $hashed = $wp_hasher->HashPassword( $key );57 58 49 $records = $this->get_keys(); 59 50 60 51 $records[ $token ] = array( -
src/wp-includes/pluggable.php
1882 1882 * @since 4.6.0 The `$notify` parameter accepts 'user' for sending notification only to the user created. 1883 1883 * 1884 1884 * @global wpdb $wpdb WordPress database object for queries. 1885 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.1886 1885 * 1887 1886 * @param int $user_id User ID. 1888 1887 * @param null $deprecated Not used (argument deprecated). … … 1899 1898 return; 1900 1899 } 1901 1900 1902 global $wpdb , $wp_hasher;1901 global $wpdb; 1903 1902 $user = get_userdata( $user_id ); 1904 1903 1905 1904 // The blogname option is escaped with esc_html on the way into the database in sanitize_option … … 1966 1965 do_action( 'retrieve_password_key', $user->user_login, $key ); 1967 1966 1968 1967 // Now insert the key, hashed, into the DB. 1969 if ( empty( $wp_hasher ) ) { 1970 require_once ABSPATH . WPINC . '/class-phpass.php'; 1971 $wp_hasher = new PasswordHash( 8, true ); 1972 } 1973 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 1968 $hashed = time() . ':' . password_hash( $key, PASSWORD_BCRYPT ); 1974 1969 $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) ); 1975 1970 1976 1971 $switched_locale = switch_to_locale( get_user_locale( $user ) ); … … 2271 2266 * 2272 2267 * @since 2.5.0 2273 2268 * 2274 * @global PasswordHash $wp_hasher PHPass object2275 *2276 2269 * @param string $password Plain text user password to hash 2277 2270 * @return string The hash string of the password 2278 2271 */ 2279 2272 function wp_hash_password( $password ) { 2280 global $wp_hasher; 2281 2282 if ( empty( $wp_hasher ) ) { 2283 require_once( ABSPATH . WPINC . '/class-phpass.php' ); 2284 // By default, use the portable hash from phpass 2285 $wp_hasher = new PasswordHash( 8, true ); 2286 } 2287 2288 return $wp_hasher->HashPassword( trim( $password ) ); 2273 return password_hash( trim( $password ), PASSWORD_BCRYPT ); 2289 2274 } 2290 2275 endif; 2291 2276 … … 2294 2279 * Checks the plaintext password against the encrypted Password. 2295 2280 * 2296 2281 * Maintains compatibility between old version and the new cookie authentication 2297 * protocol using PHPass library. The $hash parameter is the encrypted password2282 * protocol using password_hash. The $hash parameter is the encrypted password 2298 2283 * and the function compares the plain text password when encrypted similarly 2299 2284 * against the already encrypted password to see if they match. 2300 2285 * … … 2303 2288 * 2304 2289 * @since 2.5.0 2305 2290 * 2306 * @global PasswordHash $wp_hasher PHPass object used for checking the password2307 * against the $hash + $password2308 2291 * @uses PasswordHash::CheckPassword 2309 2292 * 2310 2293 * @param string $password Plaintext user's password … … 2313 2296 * @return bool False, if the $password does not match the hashed password 2314 2297 */ 2315 2298 function wp_check_password( $password, $hash, $user_id = '' ) { 2316 global $wp_hasher;2317 2299 2318 // If the hash is still md5... 2319 if ( strlen( $hash ) <= 32 ) { 2320 $check = hash_equals( $hash, md5( $password ) ); 2300 if ( password_needs_rehash( $hash, PASSWORD_BCRYPT ) ) { 2301 if ( strlen( $hash ) <= 32 ) { 2302 $check = hash_equals( $hash, md5( $password ) ); 2303 } else { 2304 require_once( ABSPATH . WPINC . '/class-phpass.php' ); 2305 $wp_hasher = new PasswordHash( 8, true ); 2306 $check = $wp_hasher->CheckPassword( $password, $hash ); 2307 } 2308 2321 2309 if ( $check && $user_id ) { 2322 2310 // Rehash using new hash. 2323 2311 wp_set_password( $password, $user_id ); 2324 2312 $hash = wp_hash_password( $password ); 2325 2313 } 2326 2327 /** 2328 * Filters whether the plaintext password matches the encrypted password. 2329 * 2330 * @since 2.5.0 2331 * 2332 * @param bool $check Whether the passwords match. 2333 * @param string $password The plaintext password. 2334 * @param string $hash The hashed password. 2335 * @param string|int $user_id User ID. Can be empty. 2336 */ 2337 return apply_filters( 'check_password', $check, $password, $hash, $user_id ); 2314 } else { 2315 $check = password_verify( $password, $hash ); 2338 2316 } 2339 2317 2340 // If the stored hash is longer than an MD5, presume the 2341 // new style phpass portable hash. 2342 if ( empty( $wp_hasher ) ) { 2343 require_once( ABSPATH . WPINC . '/class-phpass.php' ); 2344 // By default, use the portable hash from phpass 2345 $wp_hasher = new PasswordHash( 8, true ); 2346 } 2347 2348 $check = $wp_hasher->CheckPassword( $password, $hash ); 2349 2350 /** This filter is documented in wp-includes/pluggable.php */ 2318 /** 2319 * Filters whether the plaintext password matches the encrypted password. 2320 * 2321 * @since 2.5.0 2322 * 2323 * @param bool $check Whether the passwords match. 2324 * @param string $password The plaintext password. 2325 * @param string $hash The hashed password. 2326 * @param string|int $user_id User ID. Can be empty. 2327 */ 2351 2328 return apply_filters( 'check_password', $check, $password, $hash, $user_id ); 2352 2329 } 2353 2330 endif; -
src/wp-includes/post-template.php
866 866 return apply_filters( 'post_password_required', true, $post ); 867 867 } 868 868 869 require_once ABSPATH . WPINC . '/class-phpass.php';870 $hasher = new PasswordHash( 8, true );871 872 869 $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); 873 if ( 0 !== strpos( $hash, '$ P$B' ) ) {870 if ( 0 !== strpos( $hash, '$2y$' ) ) { 874 871 $required = true; 875 872 } else { 876 $required = ! $ hasher->CheckPassword( $post->post_password, $hash );873 $required = ! $password_verify( $post->post_password, $hash ); 877 874 } 878 875 879 876 /** -
src/wp-includes/user.php
2205 2205 * @since 4.4.0 2206 2206 * 2207 2207 * @global wpdb $wpdb WordPress database abstraction object. 2208 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.2209 2208 * 2210 2209 * @param WP_User $user User to retrieve password reset key for. 2211 2210 * … … 2212 2211 * @return string|WP_Error Password reset key on success. WP_Error on error. 2213 2212 */ 2214 2213 function get_password_reset_key( $user ) { 2215 global $wpdb , $wp_hasher;2214 global $wpdb; 2216 2215 2217 2216 if ( ! ( $user instanceof WP_User ) ) { 2218 2217 return new WP_Error( 'invalidcombo', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) ); … … 2274 2273 do_action( 'retrieve_password_key', $user->user_login, $key ); 2275 2274 2276 2275 // Now insert the key, hashed, into the DB. 2277 if ( empty( $wp_hasher ) ) { 2278 require_once ABSPATH . WPINC . '/class-phpass.php'; 2279 $wp_hasher = new PasswordHash( 8, true ); 2280 } 2281 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 2276 $hashed = time() . ':' . password_hash( $key, PASSWORD_BCRYPT ); 2282 2277 $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) ); 2283 2278 if ( false === $key_saved ) { 2284 2279 return new WP_Error( 'no_password_key_update', __( 'Could not save password reset key to database.' ) ); … … 2298 2293 * @since 3.1.0 2299 2294 * 2300 2295 * @global wpdb $wpdb WordPress database object for queries. 2301 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.2302 2296 * 2303 2297 * @param string $key Hash to validate sending user's password. 2304 2298 * @param string $login The user login. … … 2305 2299 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys. 2306 2300 */ 2307 2301 function check_password_reset_key( $key, $login ) { 2308 global $wpdb , $wp_hasher;2302 global $wpdb; 2309 2303 2310 2304 $key = preg_replace( '/[^a-z0-9]/i', '', $key ); 2311 2305 … … 2322 2316 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 2323 2317 } 2324 2318 2325 if ( empty( $wp_hasher ) ) {2326 require_once ABSPATH . WPINC . '/class-phpass.php';2327 $wp_hasher = new PasswordHash( 8, true );2328 }2329 2330 2319 /** 2331 2320 * Filters the expiration time of password reset keys. 2332 2321 * … … 2348 2337 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 2349 2338 } 2350 2339 2351 $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key );2340 $hash_is_correct = password_verify( $key, $pass_key ); 2352 2341 2353 2342 if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) { 2354 2343 return get_userdata( $row->ID ); … … 3542 3531 * @return string Confirmation key. 3543 3532 */ 3544 3533 function wp_generate_user_request_key( $request_id ) { 3545 global $wp_hasher;3546 3534 3547 3535 // Generate something random for a confirmation key. 3548 3536 $key = wp_generate_password( 20, false ); 3549 3537 3550 3538 // Return the key, hashed. 3551 if ( empty( $wp_hasher ) ) {3552 require_once ABSPATH . WPINC . '/class-phpass.php';3553 $wp_hasher = new PasswordHash( 8, true );3554 }3555 3556 3539 wp_update_post( 3557 3540 array( 3558 3541 'ID' => $request_id, 3559 3542 'post_status' => 'request-pending', 3560 'post_password' => $wp_hasher->HashPassword( $key),3543 'post_password' => password_hash( $key, PASSWORD_BCRYPT ), 3561 3544 ) 3562 3545 ); 3563 3546 … … 3574 3557 * @return bool|WP_Error WP_Error on failure, true on success. 3575 3558 */ 3576 3559 function wp_validate_user_request_key( $request_id, $key ) { 3577 global $wp_hasher;3578 3560 3579 3561 $request_id = absint( $request_id ); 3580 3562 $request = wp_get_user_request_data( $request_id ); … … 3591 3573 return new WP_Error( 'missing_key', __( 'Missing confirm key.' ) ); 3592 3574 } 3593 3575 3594 if ( empty( $wp_hasher ) ) {3595 require_once ABSPATH . WPINC . '/class-phpass.php';3596 $wp_hasher = new PasswordHash( 8, true );3597 }3598 3599 3576 $key_request_time = $request->modified_timestamp; 3600 3577 $saved_key = $request->confirm_key; 3601 3578 … … 3617 3594 $expiration_duration = (int) apply_filters( 'user_request_key_expiration', DAY_IN_SECONDS ); 3618 3595 $expiration_time = $key_request_time + $expiration_duration; 3619 3596 3620 if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) {3597 if ( ! password_verify( $key, $saved_key ) ) { 3621 3598 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3622 3599 } 3623 3600 -
src/wp-login.php
508 508 exit(); 509 509 } 510 510 511 require_once ABSPATH . WPINC . '/class-phpass.php';512 $hasher = new PasswordHash( 8, true );513 514 511 /** 515 512 * Filters the life span of the post password cookie. 516 513 * … … 528 525 } else { 529 526 $secure = false; 530 527 } 531 setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] )), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );528 setcookie( 'wp-postpass_' . COOKIEHASH, password_hash( wp_unslash( $_POST['post_password'] ), PASSWORD_BCRYPT ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ); 532 529 533 530 wp_safe_redirect( wp_get_referer() ); 534 531 exit(); -
tests/phpunit/tests/auth.php
8 8 protected $user; 9 9 protected static $_user; 10 10 protected static $user_id; 11 protected static $wp_hasher;12 11 13 12 /** 14 13 * action hook … … 23 22 ); 24 23 25 24 self::$user_id = self::$_user->ID; 26 27 require_once( ABSPATH . WPINC . '/class-phpass.php' );28 self::$wp_hasher = new PasswordHash( 8, true );29 25 } 30 26 31 27 function setUp() { … … 184 180 185 181 wp_set_password( $limit, self::$user_id ); 186 182 // phpass hashed password 187 $this->assertStringStartsWith( '$ P$', $this->user->data->user_pass );183 $this->assertStringStartsWith( '$2y$', $this->user->data->user_pass ); 188 184 189 185 $user = wp_authenticate( $this->user->user_login, 'aaaaaaaa' ); 190 186 // Wrong Password … … 236 232 $wpdb->update( 237 233 $wpdb->users, 238 234 array( 239 'user_activation_key' => strtotime( '-1 hour' ) . ':' . self::$wp_hasher->HashPassword( $key),235 'user_activation_key' => strtotime( '-1 hour' ) . ':' . password_hash( $key, PASSWORD_BCRYPT ), 240 236 ), 241 237 array( 242 238 'ID' => $this->user->ID, … … 273 269 $wpdb->update( 274 270 $wpdb->users, 275 271 array( 276 'user_activation_key' => strtotime( '-48 hours' ) . ':' . self::$wp_hasher->HashPassword( $key),272 'user_activation_key' => strtotime( '-48 hours' ) . ':' . password_hash( $key, PASSWORD_BCRYPT ), 277 273 ), 278 274 array( 279 275 'ID' => $this->user->ID, … … 310 306 $wpdb->update( 311 307 $wpdb->users, 312 308 array( 313 'user_activation_key' => self::$wp_hasher->HashPassword( $key),309 'user_activation_key' => password_hash( $key, PASSWORD_BCRYPT ), 314 310 ), 315 311 array( 316 312 'ID' => $this->user->ID, -
tests/phpunit/tests/comment-submission.php
175 175 public function test_submitting_comment_to_password_protected_post_succeeds() { 176 176 177 177 $password = 'password'; 178 $hasher = new PasswordHash( 8, true );179 178 180 $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] = $hasher->HashPassword( $password);179 $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] = password_hash( $password, PASSWORD_BCRYPT ); 181 180 182 181 $post = self::factory()->post->create_and_get( 183 182 array(