Changeset 59893 for trunk/src/wp-includes/pluggable.php

Timestamp:

02/28/2025 06:51:44 PM (8 months ago)

Author:

johnbillion

Message:

Security: Reintroduce support for passwords hashed with MD5.

This reinstates the ability for a user to log in to an account where the password is hashed using MD5. This means that the ability to reset a password directly in the database using an SQL query or a database administration tool will be retained without the need to implement or integrate with bcrypt or phpass.

A password hashed with MD5 will get upgraded to bcrypt at the point where a user successfully logs in, just as is the case with a phpass hash.

Props audrasjb, aaronjorbin, johnbillion, david-innes, benniledl.

See #21022.

File:

• trunk/src/wp-includes/pluggable.php (modified) (3 diffs)

trunk/src/wp-includes/pluggable.php

@@ -2725 +2725 @@
      * @since 6.8.0 Passwords in WordPress are now hashed with bcrypt by default. A
      *              password that wasn't hashed with bcrypt will be checked with phpass.
-     *              Passwords hashed with md5 are no longer supported.
      *
      * @global PasswordHash $wp_hasher phpass object. Used as a fallback for verifying
@@ -2743 +2742 @@
         global $wp_hasher;
 
-        $check = false;
-
-        // If the hash is still md5 or otherwise truncated then invalidate it.
         if ( strlen( $hash ) <= 32 ) {
-            /**
-             * Filters whether the plaintext password matches the hashed password.
-             *
-             * @since 2.5.0
-             * @since 6.8.0 Passwords are now hashed with bcrypt by default.
-             *              Old passwords may still be hashed with phpass.
-             *
-             * @param bool       $check    Whether the passwords match.
-             * @param string     $password The plaintext password.
-             * @param string     $hash     The hashed password.
-             * @param string|int $user_id  Optional ID of a user associated with the password.
-             *                             Can be empty.
-             */
-            return apply_filters( 'check_password', $check, $password, $hash, $user_id );
-        }
-
-        if ( ! empty( $wp_hasher ) ) {
+            // Check the hash using md5 regardless of the current hashing mechanism.
+            $check = hash_equals( $hash, md5( $password ) );
+        } elseif ( ! empty( $wp_hasher ) ) {
             // Check the password using the overridden hasher.
             $check = $wp_hasher->CheckPassword( $password, $hash );
         } elseif ( strlen( $password ) > 4096 ) {
+            // Passwords longer than 4096 characters are not supported.
             $check = false;
         } elseif ( str_starts_with( $hash, '$wp' ) ) {
@@ -2781 +2764 @@
         }
 
-        /** This filter is documented in wp-includes/pluggable.php */
+        /**
+         * Filters whether the plaintext password matches the hashed password.
+         *
+         * @since 2.5.0
+         * @since 6.8.0 Passwords are now hashed with bcrypt by default.
+         *              Old passwords may still be hashed with phpass or md5.
+         *
+         * @param bool       $check    Whether the passwords match.
+         * @param string     $password The plaintext password.
+         * @param string     $hash     The hashed password.
+         * @param string|int $user_id  Optional ID of a user associated with the password.
+         *                             Can be empty.
+         */
         return apply_filters( 'check_password', $check, $password, $hash, $user_id );
     }