Make WordPress Core

Changeset 55397


Ignore:
Timestamp:
02/21/2023 03:57:36 PM (17 months ago)
Author:
TimothyBlynJacobs
Message:

Recovery Mode: Use PasswordHash API directly when validating keys.

Previously, the wp_check_password function was used for validating keys, while the PasswordHash class was used for creating keys. This would prevent Recovery Mode from working on sites that provide a custom implementation for the wp_check_password pluggable function.

Props calvinalkan.
Fixes #56787.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-recovery-mode-key-service.php

    r54133 r55397  
    8686     * @since 5.2.0
    8787     *
     88     * @global PasswordHash $wp_hasher
     89     *
    8890     * @param string $token The token used when generating the given key.
    8991     * @param string $key   The unhashed key.
     
    9294     */
    9395    public function validate_recovery_mode_key( $token, $key, $ttl ) {
     96        global $wp_hasher;
    9497
    9598        $records = $this->get_keys();
     
    107110        }
    108111
    109         if ( ! wp_check_password( $key, $record['hashed_key'] ) ) {
     112        if ( empty( $wp_hasher ) ) {
     113            require_once ABSPATH . WPINC . '/class-phpass.php';
     114            $wp_hasher = new PasswordHash( 8, true );
     115        }
     116
     117        if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
    110118            return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
    111119        }
Note: See TracChangeset for help on using the changeset viewer.