WordPress.org

Make WordPress Core

Ticket #5401: password-generation.patch

File password-generation.patch, 4.3 KB (added by pishmishy, 10 years ago)

Strengthens password generation

  • wp-login.php

     
    110110                                do_action('retreive_password', $user_login);  // Misspelled and deprecated
    111111                                do_action('retrieve_password', $user_login);
    112112
    113                                 // Generate something random for a password... md5'ing current time with a rand salt
     113                                // Generate something random for a key...
    114114                                $key = substr( md5( uniqid( microtime() ) ), 0, 8);
    115                                 // Now insert the new pass md5'd into the db
     115                                // Now insert the new md5 key into the db
    116116                                $wpdb->query("UPDATE $wpdb->users SET user_activation_key = '$key' WHERE user_login = '$user_login'");
    117117                                $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n";
    118118                                $message .= get_option('siteurl') . "\r\n\r\n";
     
    182182
    183183        do_action('password_reset');
    184184
    185         // Generate something random for a password... md5'ing current time with a rand salt
    186         $new_pass = substr( md5( uniqid( microtime() ) ), 0, 7);
     185        // Generate something random for a password...
     186        $new_pass = wp_generate_password();
    187187        $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$new_pass'), user_activation_key = '' WHERE user_login = '$user->user_login'");
    188188        wp_cache_delete($user->ID, 'users');
    189189        wp_cache_delete($user->user_login, 'userlogins');
     
    241241                $errors = apply_filters( 'registration_errors', $errors );
    242242
    243243                if ( empty( $errors ) ) {
    244                         $user_pass = substr( md5( uniqid( microtime() ) ), 0, 7);
     244                        $user_pass = wp_generate_password();
    245245
    246246                        $user_id = wp_create_user( $user_login, $user_pass, $user_email );
    247247                        if ( !$user_id )
  • wp-includes/pluggable.php

     
    700700}
    701701endif;
    702702
     703if ( !function_exists('wp_generate_password') ) :
     704/**
     705 * Generates a random password drawn from the defined set of characters
     706 * @return string the password
     707 **/
     708function wp_generate_password() {
     709        $chars = "abcdefghifjklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
     710        $length = 7;
     711        $password = "";
     712        for($i=0;$i<$length;$i++){
     713                $password .= substr($chars,mt_rand(0,strlen($chars)-1),1);
     714        }
     715        return $password;
     716}
     717endif;
    703718?>
  • wp-admin/includes/upgrade.php

     
    3535        // being shared among blogs.  Just set the role in that case.
    3636        $user_id = username_exists($user_name);
    3737        if ( !$user_id ) {
    38                 $random_password = substr(md5(uniqid(microtime())), 0, 6);
     38                $random_password = wp_generate_password();
    3939                $user_id = wp_create_user($user_name, $random_password, $user_email);
    4040        } else {
    4141                $random_password = __('User already exists.  Password inherited.');
  • wp-admin/options-writing.php

     
    5959
    6060<fieldset class="options">
    6161<legend><?php _e('Post via e-mail') ?></legend>
    62 <p><?php printf(__('To post to WordPress by e-mail you must set up a secret e-mail account with POP3 access. Any mail received at this address will be posted, so it&#8217;s a good idea to keep this address very secret. Here are three random strings you could use: <code>%s</code>, <code>%s</code>, <code>%s</code>.'), substr(md5(uniqid(microtime())),0,5), substr(md5(uniqid(microtime())),0,5), substr(md5(uniqid(microtime())),0,5)) ?></p>
     62<p><?php printf(__('To post to WordPress by e-mail you must set up a secret e-mail account with POP3 access. Any mail received at this address will be posted, so it&#8217;s a good idea to keep this address very secret. Here are three random strings you could use: <code>%s</code>, <code>%s</code>, <code>%s</code>.'), wp_generate_password(), wp_generate_password(), wp_generate_password()) ?></p>
    6363
    6464<table width="100%" cellspacing="2" cellpadding="5" class="optiontable editform">
    6565<tr valign="top">
     
    121121</form>
    122122</div>
    123123
    124 <?php include('./admin-footer.php') ?>
    125  No newline at end of file
     124<?php include('./admin-footer.php') ?>