WordPress.org

Make WordPress Core

Ticket #5401: password-generation.patch

File password-generation.patch, 4.3 KB (added by pishmishy, 6 years ago)

Strengthens password generation

  • wp-login.php

     
    110110                                do_action('retreive_password', $user_login);  // Misspelled and deprecated 
    111111                                do_action('retrieve_password', $user_login); 
    112112 
    113                                 // Generate something random for a password... md5'ing current time with a rand salt 
     113                                // Generate something random for a key... 
    114114                                $key = substr( md5( uniqid( microtime() ) ), 0, 8); 
    115                                 // Now insert the new pass md5'd into the db 
     115                                // Now insert the new md5 key into the db 
    116116                                $wpdb->query("UPDATE $wpdb->users SET user_activation_key = '$key' WHERE user_login = '$user_login'"); 
    117117                                $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n"; 
    118118                                $message .= get_option('siteurl') . "\r\n\r\n"; 
     
    182182 
    183183        do_action('password_reset'); 
    184184 
    185         // Generate something random for a password... md5'ing current time with a rand salt 
    186         $new_pass = substr( md5( uniqid( microtime() ) ), 0, 7); 
     185        // Generate something random for a password... 
     186        $new_pass = wp_generate_password();  
    187187        $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$new_pass'), user_activation_key = '' WHERE user_login = '$user->user_login'"); 
    188188        wp_cache_delete($user->ID, 'users'); 
    189189        wp_cache_delete($user->user_login, 'userlogins'); 
     
    241241                $errors = apply_filters( 'registration_errors', $errors ); 
    242242 
    243243                if ( empty( $errors ) ) { 
    244                         $user_pass = substr( md5( uniqid( microtime() ) ), 0, 7); 
     244                        $user_pass = wp_generate_password(); 
    245245 
    246246                        $user_id = wp_create_user( $user_login, $user_pass, $user_email ); 
    247247                        if ( !$user_id ) 
  • wp-includes/pluggable.php

     
    700700} 
    701701endif; 
    702702 
     703if ( !function_exists('wp_generate_password') ) : 
     704/** 
     705 * Generates a random password drawn from the defined set of characters 
     706 * @return string the password 
     707 **/ 
     708function wp_generate_password() { 
     709        $chars = "abcdefghifjklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; 
     710        $length = 7; 
     711        $password = ""; 
     712        for($i=0;$i<$length;$i++){ 
     713                $password .= substr($chars,mt_rand(0,strlen($chars)-1),1); 
     714        } 
     715        return $password; 
     716} 
     717endif; 
    703718?> 
  • wp-admin/includes/upgrade.php

     
    3535        // being shared among blogs.  Just set the role in that case. 
    3636        $user_id = username_exists($user_name); 
    3737        if ( !$user_id ) { 
    38                 $random_password = substr(md5(uniqid(microtime())), 0, 6); 
     38                $random_password = wp_generate_password(); 
    3939                $user_id = wp_create_user($user_name, $random_password, $user_email); 
    4040        } else { 
    4141                $random_password = __('User already exists.  Password inherited.'); 
  • wp-admin/options-writing.php

     
    5959 
    6060<fieldset class="options"> 
    6161<legend><?php _e('Post via e-mail') ?></legend> 
    62 <p><?php printf(__('To post to WordPress by e-mail you must set up a secret e-mail account with POP3 access. Any mail received at this address will be posted, so it&#8217;s a good idea to keep this address very secret. Here are three random strings you could use: <code>%s</code>, <code>%s</code>, <code>%s</code>.'), substr(md5(uniqid(microtime())),0,5), substr(md5(uniqid(microtime())),0,5), substr(md5(uniqid(microtime())),0,5)) ?></p> 
     62<p><?php printf(__('To post to WordPress by e-mail you must set up a secret e-mail account with POP3 access. Any mail received at this address will be posted, so it&#8217;s a good idea to keep this address very secret. Here are three random strings you could use: <code>%s</code>, <code>%s</code>, <code>%s</code>.'), wp_generate_password(), wp_generate_password(), wp_generate_password()) ?></p> 
    6363 
    6464<table width="100%" cellspacing="2" cellpadding="5" class="optiontable editform"> 
    6565<tr valign="top"> 
     
    121121</form> 
    122122</div> 
    123123 
    124 <?php include('./admin-footer.php') ?> 
    125  No newline at end of file 
     124<?php include('./admin-footer.php') ?>