Ticket #37699: 37699-hasher.diff
File 37699-hasher.diff, 6.3 KB (added by , 8 years ago) |
---|
-
src/wp-includes/functions.php
5466 5466 5467 5467 return false; 5468 5468 } 5469 5470 /** 5471 * Return global instance of PasswordHash 5472 * 5473 * @since 4.7.0 5474 * 5475 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 5476 * 5477 * return PasswordHash 5478 */ 5479 function wp_hasher() { 5480 global $wp_hasher; 5481 if ( empty( $wp_hasher ) ) { 5482 require_once ABSPATH . WPINC . '/class-phpass.php'; 5483 $wp_hasher = new PasswordHash( 8, true ); 5484 } 5485 return $wp_hasher; 5486 } 5487 No newline at end of file -
src/wp-includes/pluggable.php
1699 1699 * @since 4.6.0 The `$notify` parameter accepts 'user' for sending notification only to the user created. 1700 1700 * 1701 1701 * @global wpdb $wpdb WordPress database object for queries. 1702 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.1703 1702 * 1704 1703 * @param int $user_id User ID. 1705 1704 * @param null $deprecated Not used (argument deprecated). … … 1711 1710 _deprecated_argument( __FUNCTION__, '4.3.1' ); 1712 1711 } 1713 1712 1714 global $wpdb , $wp_hasher;1713 global $wpdb; 1715 1714 $user = get_userdata( $user_id ); 1716 1715 1717 1716 // The blogname option is escaped with esc_html on the way into the database in sanitize_option … … 1738 1737 do_action( 'retrieve_password_key', $user->user_login, $key ); 1739 1738 1740 1739 // Now insert the key, hashed, into the DB. 1741 if ( empty( $wp_hasher ) ) { 1742 require_once ABSPATH . WPINC . '/class-phpass.php'; 1743 $wp_hasher = new PasswordHash( 8, true ); 1744 } 1745 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 1740 1741 $hashed = time() . ':' . wp_hash_password( $key ); 1746 1742 $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) ); 1747 1743 1748 1744 $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n\r\n"; … … 2005 2001 * 2006 2002 * @since 2.5.0 2007 2003 * 2008 * @global PasswordHash $wp_hasher PHPass object2009 *2010 2004 * @param string $password Plain text user password to hash 2011 2005 * @return string The hash string of the password 2012 2006 */ 2013 2007 function wp_hash_password($password) { 2014 global $wp_hasher; 2015 2016 if ( empty($wp_hasher) ) { 2017 require_once( ABSPATH . WPINC . '/class-phpass.php'); 2018 // By default, use the portable hash from phpass 2019 $wp_hasher = new PasswordHash(8, true); 2020 } 2021 2022 return $wp_hasher->HashPassword( trim( $password ) ); 2008 return wp_hasher()->HashPassword( trim( $password ) ); 2023 2009 } 2024 2010 endif; 2025 2011 … … 2037 2023 * 2038 2024 * @since 2.5.0 2039 2025 * 2040 * @global PasswordHash $wp_hasher PHPass object used for checking the password2041 2026 * against the $hash + $password 2042 2027 * @uses PasswordHash::CheckPassword 2043 2028 * … … 2047 2032 * @return bool False, if the $password does not match the hashed password 2048 2033 */ 2049 2034 function wp_check_password($password, $hash, $user_id = '') { 2050 global $wp_hasher;2051 2052 2035 // If the hash is still md5... 2053 2036 if ( strlen($hash) <= 32 ) { 2054 2037 $check = hash_equals( $hash, md5( $password ) ); … … 2073 2056 2074 2057 // If the stored hash is longer than an MD5, presume the 2075 2058 // new style phpass portable hash. 2076 if ( empty($wp_hasher) ) { 2077 require_once( ABSPATH . WPINC . '/class-phpass.php'); 2078 // By default, use the portable hash from phpass 2079 $wp_hasher = new PasswordHash(8, true); 2080 } 2059 $check = wp_hasher()->CheckPassword( $password, $hash ); 2081 2060 2082 $check = $wp_hasher->CheckPassword($password, $hash);2083 2084 2061 /** This filter is documented in wp-includes/pluggable.php */ 2085 2062 return apply_filters( 'check_password', $check, $password, $hash, $user_id ); 2086 2063 } -
src/wp-includes/user.php
2029 2029 * @since 4.4.0 2030 2030 * 2031 2031 * @global wpdb $wpdb WordPress database abstraction object. 2032 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.2033 2032 * 2034 2033 * @param WP_User $user User to retrieve password reset key for. 2035 2034 * … … 2036 2035 * @return string|WP_Error Password reset key on success. WP_Error on error. 2037 2036 */ 2038 2037 function get_password_reset_key( $user ) { 2039 global $wpdb , $wp_hasher;2038 global $wpdb; 2040 2039 2041 2040 /** 2042 2041 * Fires before a new password is retrieved. … … 2094 2093 do_action( 'retrieve_password_key', $user->user_login, $key ); 2095 2094 2096 2095 // Now insert the key, hashed, into the DB. 2097 if ( empty( $wp_hasher ) ) { 2098 require_once ABSPATH . WPINC . '/class-phpass.php'; 2099 $wp_hasher = new PasswordHash( 8, true ); 2100 } 2101 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 2096 $hashed = time() . ':' . wp_hash_password( $key ); 2102 2097 $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) ); 2103 2098 if ( false === $key_saved ) { 2104 2099 return new WP_Error( 'no_password_key_update', __( 'Could not save password reset key to database.' ) ); … … 2118 2113 * @since 3.1.0 2119 2114 * 2120 2115 * @global wpdb $wpdb WordPress database object for queries. 2121 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.2122 2116 * 2123 2117 * @param string $key Hash to validate sending user's password. 2124 2118 * @param string $login The user login. … … 2125 2119 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys. 2126 2120 */ 2127 2121 function check_password_reset_key($key, $login) { 2128 global $wpdb , $wp_hasher;2122 global $wpdb; 2129 2123 2130 2124 $key = preg_replace('/[^a-z0-9]/i', '', $key); 2131 2125 … … 2139 2133 if ( ! $row ) 2140 2134 return new WP_Error('invalid_key', __('Invalid key')); 2141 2135 2142 if ( empty( $wp_hasher ) ) {2143 require_once ABSPATH . WPINC . '/class-phpass.php';2144 $wp_hasher = new PasswordHash( 8, true );2145 }2146 2147 2136 /** 2148 2137 * Filters the expiration time of password reset keys. 2149 2138 * … … 2165 2154 return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 2166 2155 } 2167 2156 2168 $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key );2157 $hash_is_correct = wp_hasher()->CheckPassword( $key, $pass_key ); 2169 2158 2170 2159 if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) { 2171 2160 return get_userdata( $row->ID );