Make WordPress Core


Ignore:
Timestamp:
04/05/2022 03:25:38 AM (2 years ago)
Author:
peterwilsoncc
Message:

Login, Registration: Prevent password reset to whitespace alone.

Prevent users from using the password reset form to set their password to whitespace alone (tabs, spaces). This matches the processing used during the authentication flow, ensuring users do not inadvertently get locked out of their account.

Props antonrinas, swissspidy, voldemortensen, hellofromTonya, henry.wright, costdev.
Fixes #35500.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-login.php

    r53041 r53067  
    905905        $errors = new WP_Error();
    906906
    907         if ( isset( $_POST['pass1'] ) && $_POST['pass1'] !== $_POST['pass2'] ) {
     907        // Check if password is one or all empty spaces.
     908        if ( ! empty( $_POST['pass1'] ) ) {
     909            $_POST['pass1'] = trim( $_POST['pass1'] );
     910
     911            if ( empty( $_POST['pass1'] ) ) {
     912                $errors->add( 'password_reset_empty_space', __( 'The password cannot be a space or all spaces.' ) );
     913            }
     914        }
     915
     916        // Check if password fields do not match.
     917        if ( ! empty( $_POST['pass1'] ) && $_POST['pass1'] !== trim( $_POST['pass2'] ) ) {
    908918            $errors->add( 'password_reset_mismatch', __( '<strong>Error</strong>: The passwords do not match.' ) );
    909919        }
Note: See TracChangeset for help on using the changeset viewer.