WordPress.org
Get WordPress

Make WordPress Core

Ticket #25174: 25174.diff

File 25174.diff, 4.8 KB (added by iandunn, 13 years ago)

  • src/wp-admin/includes/user.php

     
    370370        printf( '<a href="%s" id="default-password-nag-no">' . __('No thanks, do not remind me again') . '</a>', '?default_password_nag=0' );
    371371        echo '</p></div>';
    372372}
     373
     374/**
     375 * Creates an array of values that would lower the entropy of a password, and should be lower the score if used
     376 *
     377 * @return array
     378 */
     379function zxcvbn_user_input_blacklist() {
     380        global $current_user;
     381        $strip_chars = array( ' ', '.', '-', ',', '@', 'http://', 'https://', '/' );    // @todo actually, strip out anything that's not [azAZ], and then http(s) ?
     382
     383        // Generic
     384        $blacklist = array( 'WordPress', 'wp', 'blog' );
     385
     386        // Current user
     387        $blacklist = array_merge( $blacklist, array(
     388                $current_user->data->user_login,
     389                $current_user->data->user_nicename,     // if dupe it'll be removed at end
     390                str_replace( $strip_chars, ' ', $current_user->data->user_email ),
     391                str_replace( $strip_chars, ' ', $current_user->data->user_url ),
     392                get_user_meta( $current_user->data->ID, 'first_name', true ),
     393                get_user_meta( $current_user->data->ID, 'last_name', true ),
     394                get_user_meta( $current_user->data->ID, 'description', true ),
     395        ) );
     396
     397        // The user currently being edited
     398        if ( 'user-edit.php' == basename( $_SERVER['SCRIPT_NAME'] ) && isset( $_GET['user_id'] ) ) {
     399                $user_being_edited = get_userdata( (int) $_GET['user_id'] );
     400
     401                if ( $user_being_edited ) {
     402                        $blacklist = array_merge( $blacklist, array(
     403                                $user_being_edited->data->user_login,
     404                                $user_being_edited->data->user_nicename,
     405                                str_replace( $strip_chars, ' ', $user_being_edited->data->user_email ),
     406                                str_replace( $strip_chars, ' ', $user_being_edited->data->user_url ),
     407                                get_user_meta( $user_being_edited->data->ID, 'first_name', true ),
     408                                get_user_meta( $user_being_edited->data->ID, 'last_name', true ),
     409                                get_user_meta( $user_being_edited->data->ID, 'description', true ),
     410                        ) );
     411                }
     412        }
     413
     414        // Current site
     415        $blacklist[] = str_replace( $strip_chars, ' ', home_url() );
     416        $blacklist[] = str_replace( $strip_chars, ' ', get_bloginfo( 'name' ) );
     417        $blacklist[] = str_replace( $strip_chars, ' ', get_bloginfo( 'description' ) );
     418        $blacklist[] = str_replace( $strip_chars, ' ', get_bloginfo( 'admin_email' ) );
     419
     420        // Clean up the results
     421        $blacklist_exploded = array();
     422        foreach ( $blacklist as $value ) {
     423                $blacklist_exploded = array_merge( $blacklist_exploded, explode( ' ', strtolower( $value ) ) );
     424        }
     425        $blacklist = $blacklist_exploded;
     426
     427        // todo remove any words that aren't at least 4 chars, otherwise things like "i", "a", "and", etc will hit lots of stuff
     428
     429        $blacklist = array_unique( $blacklist );
     430        $blacklist = array_filter( $blacklist, 'strlen' );      // removes empty and null values
     431
     432        return apply_filters( 'zxcvbn_user_input_blacklist', $blacklist );
     433}
     434 No newline at end of file

  • src/wp-admin/js/password-strength-meter.js

     
    1 function passwordStrength(password1, username, password2) {
     1/**
     2 * Validate a user's new password
     3 *
     4 * @param string password1 The password
     5 * @param string username The username. Deprecated in favor of _zxcvbnSettings.userInputBlacklist
     6 * @param string password2 The confirmed password
     7 */
     8function passwordStrength( password1, username, password2 ) {
    29        if (password1 != password2 && password2.length > 0)
    310                return 5;
    4         var result = zxcvbn( password1, [ username ] );
     11        var result = zxcvbn( password1, _zxcvbnSettings.userInputBlacklist );
    512        return result.score;
    613}

  • src/wp-admin/js/user-profile.js

     
    99                        return;
    1010                }
    1111
    12                 strength = passwordStrength(pass1, user, pass2);
     12                strength = passwordStrength( pass1, '', pass2 );
    1313
    1414                switch ( strength ) {
    1515                        case 2:

  • src/wp-includes/script-loader.php

     
    312312        $scripts->add( 'zxcvbn-async', "/wp-includes/js/zxcvbn-async$suffix.js", array(), '1.0' );
    313313        did_action( 'init' ) && $scripts->localize( 'zxcvbn-async', '_zxcvbnSettings', array(
    314314                'src' => includes_url( '/js/zxcvbn.min.js' ),
     315                'userInputBlacklist' => zxcvbn_user_input_blacklist(),
    315316        ) );
    316317
    317318        $scripts->add( 'password-strength-meter', "/wp-admin/js/password-strength-meter$suffix.js", array( 'jquery', 'zxcvbn-async' ), false, 1 );