WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
10/13/2015 02:47:09 AM (10 years ago)
Author:
wonderboymusic
Message:

Users: when passing a WP_User instance to wp_update_user(), ensure that the user password is not accidentally double-hashed. This is terrifying.

Adds unit tests.

Props tbcorr, salcode.
Fixes #28435.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/user-functions.php

    r34965 r35116  
    16031603    $user = add_magic_quotes( $user );
    16041604
    1605     if ( ! empty($userdata['user_pass']) ) {
     1605    if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
    16061606        // If password is changing, hash it now
    16071607        $plaintext_pass = $userdata['user_pass'];
Note: See TracChangeset for help on using the changeset viewer.