Ticket #881: 881.diff
File 881.diff, 3.6 KB (added by , 9 years ago) |
---|
-
src/wp-admin/includes/meta-boxes.php
157 157 <span id="sticky-span"><input id="sticky" name="sticky" type="checkbox" value="sticky" <?php checked( is_sticky( $post->ID ) ); ?> /> <label for="sticky" class="selectit"><?php _e( 'Stick this post to the front page' ); ?></label><br /></span> 158 158 <?php endif; ?> 159 159 <input type="radio" name="visibility" id="visibility-radio-password" value="password" <?php checked( $visibility, 'password' ); ?> /> <label for="visibility-radio-password" class="selectit"><?php _e('Password protected'); ?></label><br /> 160 <span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" value="<?php echo esc_attr($post->post_password); ?>" maxlength="20"/><br /></span>160 <span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" /><br /></span> 161 161 <input type="radio" name="visibility" id="visibility-radio-private" value="private" <?php checked( $visibility, 'private' ); ?> /> <label for="visibility-radio-private" class="selectit"><?php _e('Private'); ?></label><br /> 162 162 163 163 <p> -
src/wp-includes/post-functions.php
3116 3116 } 3117 3117 3118 3118 /** 3119 * Hash any post_password to allow for strong passwords within the database schema. 3120 * Using an md5 hash truncated to 20 charachters still ensures significant key entropy. 3121 */ 3122 if ( '' !== $post_password ) { 3123 $post_password = substr( md5( $post_password ), 0, 20 ); 3124 } 3125 3126 /** 3119 3127 * Filter the post parent -- used to check for and prevent hierarchy loops. 3120 3128 * 3121 3129 * @since 3.1.0 -
src/wp-includes/post-template.php
753 753 if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) ) 754 754 return true; 755 755 756 if ( ! isset( $_COOKIE['wp-postpass_hash_' . COOKIEHASH] ) ) 757 return true; 758 756 759 require_once ABSPATH . WPINC . '/class-phpass.php'; 757 760 $hasher = new PasswordHash( 8, true ); 758 761 … … 760 763 if ( 0 !== strpos( $hash, '$P$B' ) ) 761 764 return true; 762 765 763 return ! $hasher->CheckPassword( $post->post_password, $hash ); 766 $stronghash = wp_unslash( $_COOKIE[ 'wp-postpass_hash_' . COOKIEHASH ] ); 767 768 return ! ( $hasher->CheckPassword( $post->post_password, $hash ) || $hasher->CheckPassword( $post->post_password, $stronghash ) ) ; 764 769 } 765 770 766 771 // -
src/wp-login.php
449 449 } else { 450 450 $secure = false; 451 451 } 452 // This line proveides backwards compatibility for plaintext stored post_password data. 452 453 setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ); 454 // Since WordPress 4.4.0 post_password is stored in md5 hash form. 455 setcookie( 'wp-postpass_hash_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( substr( md5( $_POST['post_password'] ), 0, 20 ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ) ) ); 453 456 454 457 wp_safe_redirect( wp_get_referer() ); 455 458 exit();