Make WordPress Core


Ignore:
Timestamp:
12/02/2007 05:14:11 AM (17 years ago)
Author:
ryan
Message:

Hash passwords with phpass. Add wp_check_pasword() and wp_hash_password() functions. Props pishmishy. see #2394

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r6346 r6350  
    308308
    309309    $login = get_userdatabylogin($username);
    310     //$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
    311 
    312     if (!$login) {
     310
     311    if ( !$login || ($login->user_login != $username) ) {
    313312        $error = __('<strong>ERROR</strong>: Invalid username.');
    314313        return false;
     314    }
     315
     316    // If the password is already_md5, it has been double hashed.
     317    // Otherwise, it is plain text.
     318    if ( !$already_md5 ) {
     319        if ( wp_check_password($password, $login->user_pass) ) {
     320            // If using old md5 password, rehash.
     321            if ( strlen($login->user_pass) <= 32 ) {
     322                $hash = wp_hash_password($password);
     323                $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'");
     324                wp_cache_delete($login->ID, 'users');
     325            }
     326
     327            return true;
     328        }
    315329    } else {
    316         // If the password is already_md5, it has been double hashed.
    317         // Otherwise, it is plain text.
    318         if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
     330        if ( md5($login->user_pass) == $password )
    319331            return true;
    320         } else {
    321             $error = __('<strong>ERROR</strong>: Incorrect password.');
    322             return false;
    323         }
    324     }
     332    }
     333
     334    $error = __('<strong>ERROR</strong>: Incorrect password.');
     335    return false;
    325336}
    326337endif;
     
    474485if ( !function_exists('wp_setcookie') ) :
    475486function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
    476     if ( !$already_md5 )
    477         $password = md5( md5($password) ); // Double hash the password in the cookie.
     487    $user = get_userdatabylogin($username);
     488    if ( !$already_md5) {
     489        $password = md5($user->user_pass); // Double hash the password in the cookie.
     490    }
    478491
    479492    if ( empty($home) )
     
    701714endif;
    702715
     716if ( !function_exists('wp_hash_password') ) :
     717function wp_hash_password($password) {
     718    global $wp_hasher;
     719
     720    if ( empty($wp_hasher) ) {
     721        require_once( ABSPATH . 'wp-includes/class-phpass.php');
     722        // By default, use the portable hash from phpass
     723        $wp_hasher = new PasswordHash(8, TRUE);
     724    }
     725   
     726    return $wp_hasher->HashPassword($password);
     727}
     728endif;
     729
     730if ( !function_exists('wp_check_password') ) :
     731function wp_check_password($password, $hash) {
     732    global $wp_hasher;
     733
     734    if ( strlen($hash) <= 32 )
     735        return ( $hash == md5($password) );
     736
     737    // If the stored hash is longer than an MD5, presume the
     738    // new style phpass portable hash.
     739    if ( empty($wp_hasher) ) {
     740        require_once( ABSPATH . 'wp-includes/class-phpass.php');
     741        // By default, use the portable hash from phpass
     742        $wp_hasher = new PasswordHash(8, TRUE);
     743    }
     744
     745    return $wp_hasher->CheckPassword($password, $hash);
     746}
     747endif;
     748
    703749?>
Note: See TracChangeset for help on using the changeset viewer.