Make WordPress Core

Changeset 6350


Ignore:
Timestamp:
12/02/2007 05:14:11 AM (17 years ago)
Author:
ryan
Message:

Hash passwords with phpass. Add wp_check_pasword() and wp_hash_password() functions. Props pishmishy. see #2394

Location:
trunk
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r6346 r6350  
    308308
    309309    $login = get_userdatabylogin($username);
    310     //$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
    311 
    312     if (!$login) {
     310
     311    if ( !$login || ($login->user_login != $username) ) {
    313312        $error = __('<strong>ERROR</strong>: Invalid username.');
    314313        return false;
     314    }
     315
     316    // If the password is already_md5, it has been double hashed.
     317    // Otherwise, it is plain text.
     318    if ( !$already_md5 ) {
     319        if ( wp_check_password($password, $login->user_pass) ) {
     320            // If using old md5 password, rehash.
     321            if ( strlen($login->user_pass) <= 32 ) {
     322                $hash = wp_hash_password($password);
     323                $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'");
     324                wp_cache_delete($login->ID, 'users');
     325            }
     326
     327            return true;
     328        }
    315329    } else {
    316         // If the password is already_md5, it has been double hashed.
    317         // Otherwise, it is plain text.
    318         if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
     330        if ( md5($login->user_pass) == $password )
    319331            return true;
    320         } else {
    321             $error = __('<strong>ERROR</strong>: Incorrect password.');
    322             return false;
    323         }
    324     }
     332    }
     333
     334    $error = __('<strong>ERROR</strong>: Incorrect password.');
     335    return false;
    325336}
    326337endif;
     
    474485if ( !function_exists('wp_setcookie') ) :
    475486function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
    476     if ( !$already_md5 )
    477         $password = md5( md5($password) ); // Double hash the password in the cookie.
     487    $user = get_userdatabylogin($username);
     488    if ( !$already_md5) {
     489        $password = md5($user->user_pass); // Double hash the password in the cookie.
     490    }
    478491
    479492    if ( empty($home) )
     
    701714endif;
    702715
     716if ( !function_exists('wp_hash_password') ) :
     717function wp_hash_password($password) {
     718    global $wp_hasher;
     719
     720    if ( empty($wp_hasher) ) {
     721        require_once( ABSPATH . 'wp-includes/class-phpass.php');
     722        // By default, use the portable hash from phpass
     723        $wp_hasher = new PasswordHash(8, TRUE);
     724    }
     725   
     726    return $wp_hasher->HashPassword($password);
     727}
     728endif;
     729
     730if ( !function_exists('wp_check_password') ) :
     731function wp_check_password($password, $hash) {
     732    global $wp_hasher;
     733
     734    if ( strlen($hash) <= 32 )
     735        return ( $hash == md5($password) );
     736
     737    // If the stored hash is longer than an MD5, presume the
     738    // new style phpass portable hash.
     739    if ( empty($wp_hasher) ) {
     740        require_once( ABSPATH . 'wp-includes/class-phpass.php');
     741        // By default, use the portable hash from phpass
     742        $wp_hasher = new PasswordHash(8, TRUE);
     743    }
     744
     745    return $wp_hasher->CheckPassword($password, $hash);
     746}
     747endif;
     748
    703749?>
  • trunk/wp-includes/registration.php

    r6346 r6350  
    5555    } else {
    5656        $update = false;
    57         // Password is not hashed when creating new user.
    58         $user_pass = md5($user_pass);
     57        // Hash the password
     58        $user_pass = wp_hash_password($user_pass);
    5959    }
    6060
     
    157157    if ( ! empty($userdata['user_pass']) ) {
    158158        $plaintext_pass = $userdata['user_pass'];
    159         $userdata['user_pass'] = md5($userdata['user_pass']);
     159        $userdata['user_pass'] = wp_hash_password($userdata['user_pass']);
    160160    }
    161161
  • trunk/wp-includes/user.php

    r6346 r6350  
    1717function user_pass_ok($user_login,$user_pass) {
    1818    $userdata = get_userdatabylogin($user_login);
    19 
    20     return (md5($user_pass) == $userdata->user_pass);
     19    return wp_check_password($user_pass, $userdata->user_pass);
    2120}
    2221
  • trunk/wp-login.php

    r6345 r6350  
    185185    // Generate something random for a password... md5'ing current time with a rand salt
    186186    $new_pass = substr( md5( uniqid( microtime() ) ), 0, 7);
    187     $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$new_pass'), user_activation_key = '' WHERE user_login = '$user->user_login'");
     187    $new_hash = wp_hash_password($new_pass);
     188    $wpdb->query("UPDATE $wpdb->users SET user_pass = '$new_hash', user_activation_key = '' WHERE ID = '$user->ID'");
    188189    wp_cache_delete($user->ID, 'users');
    189     wp_cache_delete($user->user_login, 'userlogins');
    190190    $message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
    191191    $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
Note: See TracChangeset for help on using the changeset viewer.