Make WordPress Core

Changeset 30466


Ignore:
Timestamp:
11/20/2014 04:02:55 PM (10 years ago)
Author:
nacin
Message:

Prevent high resource usage when hashing large passwords. props mdawaffe, pento

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-phpass.php

    r26868 r30466  
    215215    function HashPassword($password)
    216216    {
     217        if ( strlen( $password ) > 4096 ) {
     218            return '*';
     219        }
     220
    217221        $random = '';
    218222
     
    250254    function CheckPassword($password, $stored_hash)
    251255    {
     256        if ( strlen( $password ) > 4096 ) {
     257            return false;
     258        }
     259
    252260        $hash = $this->crypt_private($password, $stored_hash);
    253261        if ($hash[0] == '*')
  • trunk/tests/phpunit/tests/auth.php

    r29620 r30466  
    33/**
    44 * @group pluggable
     5 * @group auth
    56 */
    67class Tests_Auth extends WP_UnitTestCase {
     
    100101        $this->assertFalse( wp_verify_nonce( null ) );
    101102    }
     103
     104    function test_password_length_limit() {
     105        $passwords = array(
     106            str_repeat( 'a', 4095 ), // short
     107            str_repeat( 'a', 4096 ), // limit
     108            str_repeat( 'a', 4097 ), // long
     109        );
     110
     111        $user_id = $this->factory->user->create( array( 'user_login' => 'password-length-test' ) );
     112
     113        wp_set_password( $passwords[1], $user_id );
     114        $user = get_user_by( 'id', $user_id );
     115        // phpass hashed password
     116        $this->assertStringStartsWith( '$P$', $user->data->user_pass );
     117
     118        $user = wp_authenticate( 'password-length-test', $passwords[0] );
     119        // Wrong Password
     120        $this->assertInstanceOf( 'WP_Error', $user );
     121
     122        $user = wp_authenticate( 'password-length-test', $passwords[1] );
     123        $this->assertInstanceOf( 'WP_User', $user );
     124        $this->assertEquals( $user_id, $user->ID );
     125
     126        $user = wp_authenticate( 'password-length-test', $passwords[2] );
     127        // Wrong Password
     128        $this->assertInstanceOf( 'WP_Error', $user );
     129
     130
     131        wp_set_password( $passwords[2], $user_id );
     132        $user = get_user_by( 'id', $user_id );
     133        // Password broken by setting it to be too long.
     134        $this->assertEquals( '*', $user->data->user_pass );
     135
     136        $user = wp_authenticate( 'password-length-test', $passwords[0] );
     137        // Wrong Password
     138        $this->assertInstanceOf( 'WP_Error', $user );
     139
     140        $user = wp_authenticate( 'password-length-test', $passwords[1] );
     141        // Wrong Password
     142        $this->assertInstanceOf( 'WP_Error', $user );
     143
     144        $user = wp_authenticate( 'password-length-test', $passwords[2] );
     145        // Password broken by setting it to be too long.
     146        $this->assertInstanceOf( 'WP_Error', $user );
     147    }
    102148}
Note: See TracChangeset for help on using the changeset viewer.