WordPress.org

Make WordPress Core

Ticket #37699: 37699-hasher.diff

File 37699-hasher.diff, 6.3 KB (added by wonderboymusic, 3 years ago)
  • src/wp-includes/functions.php

     
    54665466
    54675467        return false;
    54685468}
     5469
     5470/**
     5471 * Return global instance of PasswordHash
     5472 *
     5473 * @since 4.7.0
     5474 *
     5475 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
     5476 *
     5477 * return PasswordHash
     5478 */
     5479function wp_hasher() {
     5480        global $wp_hasher;
     5481        if ( empty( $wp_hasher ) ) {
     5482                require_once ABSPATH . WPINC . '/class-phpass.php';
     5483                $wp_hasher = new PasswordHash( 8, true );
     5484        }
     5485        return $wp_hasher;
     5486}
     5487 No newline at end of file
  • src/wp-includes/pluggable.php

     
    16991699 * @since 4.6.0 The `$notify` parameter accepts 'user' for sending notification only to the user created.
    17001700 *
    17011701 * @global wpdb         $wpdb      WordPress database object for queries.
    1702  * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
    17031702 *
    17041703 * @param int    $user_id    User ID.
    17051704 * @param null   $deprecated Not used (argument deprecated).
     
    17111710                _deprecated_argument( __FUNCTION__, '4.3.1' );
    17121711        }
    17131712
    1714         global $wpdb, $wp_hasher;
     1713        global $wpdb;
    17151714        $user = get_userdata( $user_id );
    17161715
    17171716        // The blogname option is escaped with esc_html on the way into the database in sanitize_option
     
    17381737        do_action( 'retrieve_password_key', $user->user_login, $key );
    17391738
    17401739        // Now insert the key, hashed, into the DB.
    1741         if ( empty( $wp_hasher ) ) {
    1742                 require_once ABSPATH . WPINC . '/class-phpass.php';
    1743                 $wp_hasher = new PasswordHash( 8, true );
    1744         }
    1745         $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     1740
     1741        $hashed = time() . ':' . wp_hash_password( $key );
    17461742        $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) );
    17471743
    17481744        $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n\r\n";
     
    20052001 *
    20062002 * @since 2.5.0
    20072003 *
    2008  * @global PasswordHash $wp_hasher PHPass object
    2009  *
    20102004 * @param string $password Plain text user password to hash
    20112005 * @return string The hash string of the password
    20122006 */
    20132007function wp_hash_password($password) {
    2014         global $wp_hasher;
    2015 
    2016         if ( empty($wp_hasher) ) {
    2017                 require_once( ABSPATH . WPINC . '/class-phpass.php');
    2018                 // By default, use the portable hash from phpass
    2019                 $wp_hasher = new PasswordHash(8, true);
    2020         }
    2021 
    2022         return $wp_hasher->HashPassword( trim( $password ) );
     2008        return wp_hasher()->HashPassword( trim( $password ) );
    20232009}
    20242010endif;
    20252011
     
    20372023 *
    20382024 * @since 2.5.0
    20392025 *
    2040  * @global PasswordHash $wp_hasher PHPass object used for checking the password
    20412026 *      against the $hash + $password
    20422027 * @uses PasswordHash::CheckPassword
    20432028 *
     
    20472032 * @return bool False, if the $password does not match the hashed password
    20482033 */
    20492034function wp_check_password($password, $hash, $user_id = '') {
    2050         global $wp_hasher;
    2051 
    20522035        // If the hash is still md5...
    20532036        if ( strlen($hash) <= 32 ) {
    20542037                $check = hash_equals( $hash, md5( $password ) );
     
    20732056
    20742057        // If the stored hash is longer than an MD5, presume the
    20752058        // new style phpass portable hash.
    2076         if ( empty($wp_hasher) ) {
    2077                 require_once( ABSPATH . WPINC . '/class-phpass.php');
    2078                 // By default, use the portable hash from phpass
    2079                 $wp_hasher = new PasswordHash(8, true);
    2080         }
     2059        $check = wp_hasher()->CheckPassword( $password, $hash );
    20812060
    2082         $check = $wp_hasher->CheckPassword($password, $hash);
    2083 
    20842061        /** This filter is documented in wp-includes/pluggable.php */
    20852062        return apply_filters( 'check_password', $check, $password, $hash, $user_id );
    20862063}
  • src/wp-includes/user.php

     
    20292029 * @since 4.4.0
    20302030 *
    20312031 * @global wpdb         $wpdb      WordPress database abstraction object.
    2032  * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
    20332032 *
    20342033 * @param WP_User $user User to retrieve password reset key for.
    20352034 *
     
    20362035 * @return string|WP_Error Password reset key on success. WP_Error on error.
    20372036 */
    20382037function get_password_reset_key( $user ) {
    2039         global $wpdb, $wp_hasher;
     2038        global $wpdb;
    20402039
    20412040        /**
    20422041         * Fires before a new password is retrieved.
     
    20942093        do_action( 'retrieve_password_key', $user->user_login, $key );
    20952094
    20962095        // Now insert the key, hashed, into the DB.
    2097         if ( empty( $wp_hasher ) ) {
    2098                 require_once ABSPATH . WPINC . '/class-phpass.php';
    2099                 $wp_hasher = new PasswordHash( 8, true );
    2100         }
    2101         $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     2096        $hashed = time() . ':' . wp_hash_password( $key );
    21022097        $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) );
    21032098        if ( false === $key_saved ) {
    21042099                return new WP_Error( 'no_password_key_update', __( 'Could not save password reset key to database.' ) );
     
    21182113 * @since 3.1.0
    21192114 *
    21202115 * @global wpdb         $wpdb      WordPress database object for queries.
    2121  * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
    21222116 *
    21232117 * @param string $key       Hash to validate sending user's password.
    21242118 * @param string $login     The user login.
     
    21252119 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys.
    21262120 */
    21272121function check_password_reset_key($key, $login) {
    2128         global $wpdb, $wp_hasher;
     2122        global $wpdb;
    21292123
    21302124        $key = preg_replace('/[^a-z0-9]/i', '', $key);
    21312125
     
    21392133        if ( ! $row )
    21402134                return new WP_Error('invalid_key', __('Invalid key'));
    21412135
    2142         if ( empty( $wp_hasher ) ) {
    2143                 require_once ABSPATH . WPINC . '/class-phpass.php';
    2144                 $wp_hasher = new PasswordHash( 8, true );
    2145         }
    2146 
    21472136        /**
    21482137         * Filters the expiration time of password reset keys.
    21492138         *
     
    21652154                return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
    21662155        }
    21672156
    2168         $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key );
     2157        $hash_is_correct = wp_hasher()->CheckPassword( $key, $pass_key );
    21692158
    21702159        if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) {
    21712160                return get_userdata( $row->ID );