WordPress.org

Make WordPress Core

Changeset 6350


Ignore:
Timestamp:
12/02/07 05:14:11 (10 years ago)
Author:
ryan
Message:

Hash passwords with phpass. Add wp_check_pasword() and wp_hash_password() functions. Props pishmishy. see #2394

Location:
trunk
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r6346 r6350  
    308308 
    309309    $login = get_userdatabylogin($username); 
    310     //$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'"); 
    311  
    312     if (!$login) { 
     310 
     311    if ( !$login || ($login->user_login != $username) ) { 
    313312        $error = __('<strong>ERROR</strong>: Invalid username.'); 
    314313        return false; 
     314    } 
     315 
     316    // If the password is already_md5, it has been double hashed. 
     317    // Otherwise, it is plain text. 
     318    if ( !$already_md5 ) { 
     319        if ( wp_check_password($password, $login->user_pass) ) { 
     320            // If using old md5 password, rehash. 
     321            if ( strlen($login->user_pass) <= 32 ) { 
     322                $hash = wp_hash_password($password); 
     323                $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 
     324                wp_cache_delete($login->ID, 'users'); 
     325            } 
     326 
     327            return true; 
     328        } 
    315329    } else { 
    316         // If the password is already_md5, it has been double hashed. 
    317         // Otherwise, it is plain text. 
    318         if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) { 
     330        if ( md5($login->user_pass) == $password ) 
    319331            return true; 
    320         } else { 
    321             $error = __('<strong>ERROR</strong>: Incorrect password.'); 
    322             return false; 
    323         } 
    324     } 
     332    } 
     333 
     334    $error = __('<strong>ERROR</strong>: Incorrect password.'); 
     335    return false; 
    325336} 
    326337endif; 
     
    474485if ( !function_exists('wp_setcookie') ) : 
    475486function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) { 
    476     if ( !$already_md5 ) 
    477         $password = md5( md5($password) ); // Double hash the password in the cookie. 
     487    $user = get_userdatabylogin($username); 
     488    if ( !$already_md5) { 
     489        $password = md5($user->user_pass); // Double hash the password in the cookie. 
     490    } 
    478491 
    479492    if ( empty($home) ) 
     
    701714endif; 
    702715 
     716if ( !function_exists('wp_hash_password') ) : 
     717function wp_hash_password($password) { 
     718    global $wp_hasher; 
     719 
     720    if ( empty($wp_hasher) ) { 
     721        require_once( ABSPATH . 'wp-includes/class-phpass.php'); 
     722        // By default, use the portable hash from phpass 
     723        $wp_hasher = new PasswordHash(8, TRUE); 
     724    } 
     725     
     726    return $wp_hasher->HashPassword($password);  
     727} 
     728endif; 
     729 
     730if ( !function_exists('wp_check_password') ) : 
     731function wp_check_password($password, $hash) { 
     732    global $wp_hasher; 
     733 
     734    if ( strlen($hash) <= 32 ) 
     735        return ( $hash == md5($password) ); 
     736 
     737    // If the stored hash is longer than an MD5, presume the 
     738    // new style phpass portable hash. 
     739    if ( empty($wp_hasher) ) { 
     740        require_once( ABSPATH . 'wp-includes/class-phpass.php'); 
     741        // By default, use the portable hash from phpass 
     742        $wp_hasher = new PasswordHash(8, TRUE); 
     743    } 
     744 
     745    return $wp_hasher->CheckPassword($password, $hash); 
     746} 
     747endif; 
     748 
    703749?> 
  • trunk/wp-includes/registration.php

    r6346 r6350  
    5555    } else { 
    5656        $update = false; 
    57         // Password is not hashed when creating new user. 
    58         $user_pass = md5($user_pass); 
     57        // Hash the password 
     58        $user_pass = wp_hash_password($user_pass); 
    5959    } 
    6060 
     
    157157    if ( ! empty($userdata['user_pass']) ) { 
    158158        $plaintext_pass = $userdata['user_pass']; 
    159         $userdata['user_pass'] = md5($userdata['user_pass']); 
     159        $userdata['user_pass'] = wp_hash_password($userdata['user_pass']); 
    160160    } 
    161161 
  • trunk/wp-includes/user.php

    r6346 r6350  
    1717function user_pass_ok($user_login,$user_pass) { 
    1818    $userdata = get_userdatabylogin($user_login); 
    19  
    20     return (md5($user_pass) == $userdata->user_pass); 
     19    return wp_check_password($user_pass, $userdata->user_pass); 
    2120} 
    2221 
  • trunk/wp-login.php

    r6345 r6350  
    185185    // Generate something random for a password... md5'ing current time with a rand salt 
    186186    $new_pass = substr( md5( uniqid( microtime() ) ), 0, 7); 
    187     $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$new_pass'), user_activation_key = '' WHERE user_login = '$user->user_login'"); 
     187    $new_hash = wp_hash_password($new_pass);  
     188    $wpdb->query("UPDATE $wpdb->users SET user_pass = '$new_hash', user_activation_key = '' WHERE ID = '$user->ID'"); 
    188189    wp_cache_delete($user->ID, 'users'); 
    189     wp_cache_delete($user->user_login, 'userlogins'); 
    190190    $message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n"; 
    191191    $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n"; 
Note: See TracChangeset for help on using the changeset viewer.