WordPress.org

Make WordPress Core

Changeset 35116


Ignore:
Timestamp:
10/13/2015 02:47:09 AM (5 years ago)
Author:
wonderboymusic
Message:

Users: when passing a WP_User instance to wp_update_user(), ensure that the user password is not accidentally double-hashed. This is terrifying.

Adds unit tests.

Props tbcorr, salcode.
Fixes #28435.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user-functions.php

    r34965 r35116  
    16031603    $user = add_magic_quotes( $user );
    16041604
    1605     if ( ! empty($userdata['user_pass']) ) {
     1605    if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
    16061606        // If password is changing, hash it now
    16071607        $plaintext_pass = $userdata['user_pass'];
  • trunk/tests/phpunit/tests/user.php

    r34859 r35116  
    955955        wp_new_user_notification( $user, 'this_is_deprecated' );
    956956    }
     957
     958    /**
     959     * @ticket 28435
     960     */
     961    function test_wp_update_user_no_change_pwd() {
     962        $testuserid = 1;
     963        $user = get_userdata( $testuserid );
     964        $pwd_before = $user->user_pass;
     965        wp_update_user( $user );
     966       
     967        // Reload the data
     968        $pwd_after = get_userdata( $testuserid )->user_pass;
     969        $this->assertEquals( $pwd_before, $pwd_after );
     970    }
    957971}
Note: See TracChangeset for help on using the changeset viewer.