WordPress.org

Make WordPress Core

Changeset 49118


Ignore:
Timestamp:
10/10/2020 04:49:35 PM (10 months ago)
Author:
adamsilverstein
Message:

Users: prevent saving empty passwords, trim space from password ends on save.

Fix an issue where users could save a password with only spaces, or spaces at the beginning or end of their password, preventing them from logging in.

Props ronakganatra, 1naveengiri, ajensen, oolleegg55, bookdude13, nrqsnchz, aristath.
Fixes #42766.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/js/_enqueues/admin/user-profile.js

    r48270 r49118  
    216216
    217217        $('#pass-strength-result').removeClass('short bad good strong empty');
    218         if ( ! pass1 ) {
     218        if ( ! pass1 || '' ===  pass1.trim() ) {
    219219            $( '#pass-strength-result' ).addClass( 'empty' ).html( ' ' );
    220220            return;
  • trunk/src/wp-admin/includes/user.php

    r49109 r49118  
    4848    $pass2 = '';
    4949    if ( isset( $_POST['pass1'] ) ) {
    50         $pass1 = $_POST['pass1'];
     50        $pass1 = trim( $_POST['pass1'] );
    5151    }
    5252    if ( isset( $_POST['pass2'] ) ) {
    53         $pass2 = $_POST['pass2'];
     53        $pass2 = trim( $_POST['pass2'] );
    5454    }
    5555
  • trunk/tests/phpunit/tests/user.php

    r48939 r49118  
    14521452     *
    14531453     * @ticket 35715
     1454     * @ticket 42766
    14541455     */
    14551456    function test_edit_user_blank_pw() {
     
    14921493        $this->assertSame( 'nickname_updated', $user->nickname );
    14931494
     1495        // Check not to change an old password if a new password contains only spaces. Ticket #42766
     1496        $user           = get_user_by( 'ID', $user_id );
     1497        $old_pass       = $user->user_pass;
     1498        $_POST['pass2'] = '  ';
     1499        $_POST['pass1'] = '  ';
     1500
     1501        $user_id = edit_user( $user_id );
     1502        $user    = get_user_by( 'ID', $user_id );
     1503
     1504        $this->assertInternalType( 'int', $user_id );
     1505        $this->assertEquals( $old_pass, $user->user_pass );
     1506
    14941507        // Check updating user with missing second password.
    14951508        $_POST['nickname'] = 'nickname_updated2';
Note: See TracChangeset for help on using the changeset viewer.