WordPress.org

Make WordPress Core

Ticket #42183: 42183.2.patch

File 42183.2.patch, 1.1 KB (added by johnjamesjacoby, 4 years ago)

Uses wp_check_password() and renames a variable to avoid keeping the plaintext password floating around in another variable

  • src/wp-includes/user.php

    diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
    index 1c1e466..6fb9dc2 100644
    a b  
    18201820        // Escape data pulled from DB.
    18211821        $user = add_magic_quotes( $user );
    18221822
    1823         if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
    1824                 // If password is changing, hash it now
    1825                 $plaintext_pass = $userdata['user_pass'];
     1823        if ( ! empty( $userdata['user_pass'] ) && ! wp_check_password( $userdata['user_pass'], $user_obj->user_pass, $ID ) ) {
     1824
     1825                // Used downstream to clear cookies.
     1826                $changed_password = true;
     1827
     1828                // wp_insert_user() expects new password to be hashed already.
    18261829                $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
    18271830
    18281831                /**
     
    19931996        // Update the cookies if the password changed.
    19941997        $current_user = wp_get_current_user();
    19951998        if ( $current_user->ID == $ID ) {
    1996                 if ( isset($plaintext_pass) ) {
     1999                if ( isset($changed_password) ) {
    19972000                        wp_clear_auth_cookie();
    19982001
    19992002                        // Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.