Changeset 30468

Timestamp:

11/20/2014 04:05:10 PM (11 years ago)

Author:

nacin

Message:

Prevent high resource usage when hashing large passwords. props mdawaffe, pento

Merges [30466] to the 3.9 branch.

Location:

branches/3.9

Files:

• . (modified) (1 prop)
• src/wp-includes/class-phpass.php (modified) (2 diffs)
• tests/phpunit/tests/auth.php (modified) (2 diffs)

branches/3.9/src/wp-includes/class-phpass.php

@@ -215 +215 @@
     function HashPassword($password)
     {
+        if ( strlen( $password ) > 4096 ) {
+            return '*';
+        }
+
         $random = '';
 
@@ -250 +254 @@
     function CheckPassword($password, $stored_hash)
     {
+        if ( strlen( $password ) > 4096 ) {
+            return false;
+        }
+
         $hash = $this->crypt_private($password, $stored_hash);
         if ($hash[0] == '*')

branches/3.9/tests/phpunit/tests/auth.php

@@ -3 +3 @@
 /**
  * @group pluggable
+ * @group auth
  */
 class Tests_Auth extends WP_UnitTestCase {
@@ -92 +93 @@
         $this->assertTrue( wp_check_password( 'pass with vertial tab o_O', wp_hash_password( $password ) ) );
     }
+
+    function test_password_length_limit() {
+        $passwords = array(
+            str_repeat( 'a', 4095 ), // short
+            str_repeat( 'a', 4096 ), // limit
+            str_repeat( 'a', 4097 ), // long
+        );
+
+        $user_id = $this->factory->user->create( array( 'user_login' => 'password-length-test' ) );
+
+        wp_set_password( $passwords[1], $user_id );
+        $user = get_user_by( 'id', $user_id );
+        // phpass hashed password
+        $this->assertStringStartsWith( '$P$', $user->data->user_pass );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[0] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[1] );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertEquals( $user_id, $user->ID );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[2] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+
+        wp_set_password( $passwords[2], $user_id );
+        $user = get_user_by( 'id', $user_id );
+        // Password broken by setting it to be too long.
+        $this->assertEquals( '*', $user->data->user_pass );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[0] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[1] );
+        // Wrong Password
+        $this->assertInstanceOf( 'WP_Error', $user );
+
+        $user = wp_authenticate( 'password-length-test', $passwords[2] );
+        // Password broken by setting it to be too long.
+        $this->assertInstanceOf( 'WP_Error', $user );
+    }
 }