Make WordPress Core

Ticket #881: 881.diff

File 881.diff, 3.6 KB (added by adamsilverstein, 8 years ago)
  • src/wp-admin/includes/meta-boxes.php

     
    157157<span id="sticky-span"><input id="sticky" name="sticky" type="checkbox" value="sticky" <?php checked( is_sticky( $post->ID ) ); ?> /> <label for="sticky" class="selectit"><?php _e( 'Stick this post to the front page' ); ?></label><br /></span>
    158158<?php endif; ?>
    159159<input type="radio" name="visibility" id="visibility-radio-password" value="password" <?php checked( $visibility, 'password' ); ?> /> <label for="visibility-radio-password" class="selectit"><?php _e('Password protected'); ?></label><br />
    160 <span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" value="<?php echo esc_attr($post->post_password); ?>"  maxlength="20" /><br /></span>
     160<span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" /><br /></span>
    161161<input type="radio" name="visibility" id="visibility-radio-private" value="private" <?php checked( $visibility, 'private' ); ?> /> <label for="visibility-radio-private" class="selectit"><?php _e('Private'); ?></label><br />
    162162
    163163<p>
  • src/wp-includes/post-functions.php

     
    31163116        }
    31173117
    31183118        /**
     3119         * Hash any post_password to allow for strong passwords within the database schema.
     3120         * Using an md5 hash truncated to 20 charachters still ensures significant key entropy.
     3121         */
     3122        if ( '' !== $post_password ) {
     3123                $post_password = substr( md5( $post_password ), 0, 20 );
     3124        }
     3125
     3126        /**
    31193127         * Filter the post parent -- used to check for and prevent hierarchy loops.
    31203128         *
    31213129         * @since 3.1.0
  • src/wp-includes/post-template.php

     
    753753        if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
    754754                return true;
    755755
     756        if ( ! isset( $_COOKIE['wp-postpass_hash_' . COOKIEHASH] ) )
     757                return true;
     758
    756759        require_once ABSPATH . WPINC . '/class-phpass.php';
    757760        $hasher = new PasswordHash( 8, true );
    758761
     
    760763        if ( 0 !== strpos( $hash, '$P$B' ) )
    761764                return true;
    762765
    763         return ! $hasher->CheckPassword( $post->post_password, $hash );
     766        $stronghash = wp_unslash( $_COOKIE[ 'wp-postpass_hash_' . COOKIEHASH ] );
     767
     768        return ! ( $hasher->CheckPassword( $post->post_password, $hash ) || $hasher->CheckPassword( $post->post_password, $stronghash ) ) ;
    764769}
    765770
    766771//
  • src/wp-login.php

     
    449449        } else {
    450450                $secure = false;
    451451        }
     452        // This line proveides backwards compatibility for plaintext stored post_password data.
    452453        setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
     454        // Since WordPress 4.4.0 post_password is stored in md5 hash form.
     455        setcookie( 'wp-postpass_hash_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( substr( md5( $_POST['post_password'] ), 0, 20 ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ) ) );
    453456
    454457        wp_safe_redirect( wp_get_referer() );
    455458        exit();