Changeset 6387
- Timestamp:
- 12/16/2007 05:41:59 PM (17 years ago)
- Location:
- trunk
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/includes/misc.php
r6025 r6387 129 129 } 130 130 131 // If siteurl or home changed, reset cookies andflush rewrite rules.131 // If siteurl or home changed, flush rewrite rules. 132 132 function update_home_siteurl( $old_value, $value ) { 133 133 global $wp_rewrite, $user_login, $user_pass_md5; … … 138 138 // If home changed, write rewrite rules to new location. 139 139 $wp_rewrite->flush_rules(); 140 // Clear cookies for old paths.141 wp_clearcookie();142 // Set cookies for new paths.143 wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));144 140 } 145 141 -
trunk/wp-config-sample.php
r5457 r6387 7 7 define('DB_CHARSET', 'utf8'); 8 8 define('DB_COLLATE', ''); 9 define('SECRET_KEY', ''); // Change this to a unique phrase. 9 10 10 11 // You can have multiple installations in one database if you give each a unique prefix -
trunk/wp-includes/compat.php
r6309 r6387 148 148 } 149 149 150 if ( ! function_exists('hash_hmac') ): 151 function hash_hmac($algo, $data, $key, $raw_output = false) { 152 $packs = array('md5' => 'H32', 'sha1' => 'H40'); 153 154 if ( !isset($packs[$algo]) ) 155 return false; 156 157 $pack = $packs[$algo]; 158 159 if (strlen($key) > 64) 160 $key = pack($pack, $algo($key)); 161 else if (strlen($key) < 64) 162 $key = str_pad($key, 64, chr(0)); 163 164 $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64)); 165 $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64)); 166 167 return $algo($opad . pack($pack, $algo($ipad . $data))); 168 } 169 endif; 170 150 171 // Added in PHP 4.3.0? 151 172 if (!defined('IMAGETYPE_GIF')) -
trunk/wp-includes/pluggable.php
r6385 r6387 47 47 return; 48 48 49 if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) || 50 !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) { 49 if ( ! $user = wp_validate_auth_cookie() ) { 51 50 wp_set_current_user(0); 52 51 return false; 53 52 } 54 53 55 $user_login = $_COOKIE[USER_COOKIE]; 56 wp_set_current_user(0, $user_login); 54 wp_set_current_user($user); 57 55 } 58 56 endif; … … 294 292 295 293 if ( !function_exists('wp_login') ) : 296 function wp_login($username, $password, $ already_md5= false) {294 function wp_login($username, $password, $deprecated = false) { 297 295 global $wpdb, $error; 298 296 … … 314 312 } 315 313 316 // If the password is already_md5, it has been double hashed. 317 // Otherwise, it is plain text. 318 if ( !$already_md5 ) { 319 if ( wp_check_password($password, $login->user_pass) ) { 320 // If using old md5 password, rehash. 321 if ( strlen($login->user_pass) <= 32 ) { 322 $hash = wp_hash_password($password); 323 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 324 wp_cache_delete($login->ID, 'users'); 325 } 326 327 return true; 328 } 314 if ( !wp_check_password($password, $login->user_pass) ) { 315 $error = __('<strong>ERROR</strong>: Incorrect password.'); 316 return false; 317 } 318 319 // If using old md5 password, rehash. 320 if ( strlen($login->user_pass) <= 32 ) { 321 $hash = wp_hash_password($password); 322 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 323 wp_cache_delete($login->ID, 'users'); 324 } 325 326 return true; 327 } 328 endif; 329 330 if ( !function_exists('wp_validate_auth_cookie') ) : 331 function wp_validate_auth_cookie($cookie = '') { 332 if ( empty($cookie) ) { 333 if ( empty($_COOKIE[AUTH_COOKIE]) ) 334 return false; 335 $cookie = $_COOKIE[AUTH_COOKIE]; 336 } 337 338 list($username, $expiration, $hmac) = explode('|', $cookie); 339 340 $expired = $expiration; 341 342 // Allow a grace period for POST requests 343 if ( 'POST' == $_SERVER['REQUEST_METHOD'] ) 344 $expired += 3600; 345 346 if ( $expired < time() ) 347 return false; 348 349 $key = wp_hash($username . $expiration); 350 $hash = hash_hmac('md5', $username . $expiration, $key); 351 352 if ( $hmac != $hash ) 353 return false; 354 355 $user = get_userdatabylogin($username); 356 if ( ! $user ) 357 return false; 358 359 return $user->ID; 360 } 361 endif; 362 363 if ( !function_exists('wp_set_auth_cookie') ) : 364 function wp_set_auth_cookie($user_id, $remember = false) { 365 $user = get_userdata($user_id); 366 367 if ( $remember ) { 368 $expiration = $expire = time() + 1209600; 329 369 } else { 330 if ( md5($login->user_pass) == $password ) 331 return true; 332 } 333 334 $error = __('<strong>ERROR</strong>: Incorrect password.'); 335 return false; 370 $expiration = time() + 172800; 371 $expire = 0; 372 } 373 374 $key = wp_hash($user->user_login . $expiration); 375 $hash = hash_hmac('md5', $user->user_login . $expiration, $key); 376 377 $cookie = $user->user_login . '|' . $expiration . '|' . $hash; 378 379 setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN); 380 if ( COOKIEPATH != SITECOOKIEPATH ) 381 setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN); 382 } 383 endif; 384 385 if ( !function_exists('wp_clear_auth_cookie') ) : 386 function wp_clear_auth_cookie() { 387 setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 388 setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 389 390 // Old cookies 391 setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 392 setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 393 setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 394 setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 336 395 } 337 396 endif; … … 351 410 function auth_redirect() { 352 411 // Checks if a user is logged in, if not redirects them to the login page 353 if ( (!empty($_COOKIE[ USER_COOKIE]) &&354 !wp_ login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||355 (empty($_COOKIE[ USER_COOKIE])) ) {412 if ( (!empty($_COOKIE[AUTH_COOKIE]) && 413 !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) || 414 (empty($_COOKIE[AUTH_COOKIE])) ) { 356 415 nocache_headers(); 357 416 … … 380 439 $current_name = ''; 381 440 if ( ( $current = wp_get_current_user() ) && $current->ID ) 382 $current_name = $current-> data->user_login;441 $current_name = $current->user_login; 383 442 if ( !$current_name ) 384 443 die('-1'); 385 444 445 $auth_cookie = ''; 386 446 $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie 387 447 foreach ( $cookie as $tasty ) { 388 if ( false !== strpos($tasty, USER_COOKIE) ) 389 $user = substr(strstr($tasty, '='), 1); 390 if ( false !== strpos($tasty, PASS_COOKIE) ) 391 $pass = substr(strstr($tasty, '='), 1); 448 if ( false !== strpos($tasty, AUTH_COOKIE) ) 449 $auth_cookie = substr(strstr($tasty, '='), 1); 392 450 } 393 451 394 if ( $current_name != $user || !wp_login( $user, $pass, true ) )452 if ( $current_name != $user || empty($auth_cookie) || !wp_validate_auth_cookie( $auth_cookie ) ) 395 453 die('-1'); 396 454 } … … 470 528 471 529 wp_redirect($location, $status); 472 }473 endif;474 475 if ( !function_exists('wp_get_cookie_login') ):476 function wp_get_cookie_login() {477 if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) )478 return false;479 480 return array('login' => $_COOKIE[USER_COOKIE], 'password' => $_COOKIE[PASS_COOKIE]);481 }482 483 endif;484 485 if ( !function_exists('wp_setcookie') ) :486 function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {487 $user = get_userdatabylogin($username);488 if ( !$already_md5) {489 $password = md5($user->user_pass); // Double hash the password in the cookie.490 }491 492 if ( empty($home) )493 $cookiepath = COOKIEPATH;494 else495 $cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/' );496 497 if ( empty($siteurl) ) {498 $sitecookiepath = SITECOOKIEPATH;499 $cookiehash = COOKIEHASH;500 } else {501 $sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/' );502 $cookiehash = md5($siteurl);503 }504 505 if ( $remember )506 $expire = time() + 31536000;507 else508 $expire = 0;509 510 setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);511 setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);512 513 if ( $cookiepath != $sitecookiepath ) {514 setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);515 setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);516 }517 }518 endif;519 520 if ( !function_exists('wp_clearcookie') ) :521 function wp_clearcookie() {522 setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);523 setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);524 setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);525 setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);526 530 } 527 531 endif; … … 693 697 function wp_salt() { 694 698 $salt = get_option('secret'); 695 if ( empty($salt) ) 696 $salt = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; 697 698 return $salt; 699 if ( empty($salt) ) { 700 $salt = wp_generate_password(); 701 update_option('secret', $salt); 702 } 703 704 if ( !defined('SECRET_KEY') || '' == SECRET_KEY ) 705 $secret_key = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; 706 else 707 $secret_key = SECRET_KEY; 708 709 return $salt . $secret_key; 699 710 } 700 711 endif; … … 759 770 } 760 771 endif; 772 773 // Deprecated. Use wp_set_auth_cookie() 774 if ( !function_exists('wp_setcookie') ) : 775 function wp_setcookie($username, $password = '', $already_md5 = false, $home = '', $siteurl = '', $remember = false) { 776 $user = get_userdatabylogin($username); 777 wp_set_auth_cookie($user->ID, $remember); 778 } 779 endif; 780 781 // Deprecated. Use wp_clear_auth_cookie() 782 if ( !function_exists('wp_clearcookie') ) : 783 function wp_clearcookie() { 784 wp_clear_auth_cookie(); 785 } 786 endif; 787 788 // Deprecated. No alternative. 789 if ( !function_exists('wp_get_cookie_login') ): 790 function wp_get_cookie_login() { 791 return false; 792 } 793 endif; 794 761 795 ?> -
trunk/wp-includes/registration.php
r6350 r6387 168 168 if ( $current_user->id == $ID ) { 169 169 if ( isset($plaintext_pass) ) { 170 wp_clear cookie();171 wp_set cookie($userdata['user_login'], $plaintext_pass);170 wp_clear_auth_cookie(); 171 wp_set_auth_cookie($ID); 172 172 } 173 173 } -
trunk/wp-login.php
r6385 r6387 289 289 $user_login = ''; 290 290 $user_pass = ''; 291 $using_cookie = FALSE;292 291 293 292 if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() ) … … 297 296 298 297 if ( $http_post ) { 298 // If cookies are disabled we can't log in even with a valid user+pass 299 if ( empty($_COOKIE[TEST_COOKIE]) ) 300 $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.'); 301 299 302 $user_login = $_POST['log']; 300 303 $user_login = sanitize_user( $user_login ); 301 304 $user_pass = $_POST['pwd']; 302 305 $rememberme = $_POST['rememberme']; 306 307 do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass)); 303 308 } else { 304 $ cookie_login = wp_get_cookie_login();305 if ( ! empty($cookie_login)) {306 $ using_cookie = true;307 $user_login = $cookie_login['login'];308 $user _pass = $cookie_login['password'];309 } 310 }311 312 do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass));313 314 // If cookies are disabled we can't log in even with a valid user+pass315 if ( $http_post && empty($_COOKIE[TEST_COOKIE]) )316 $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.');309 $user = wp_validate_auth_cookie(); 310 if ( !$user ) { 311 $errors['expiredsession'] = __('Your session has expired.'); 312 } else { 313 $user = new WP_User($user); 314 315 // If the user can't edit posts, send them to their profile. 316 if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) 317 $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 318 wp_safe_redirect($redirect_to); 319 exit(); 320 } 321 } 317 322 318 323 if ( $user_login && $user_pass && empty( $errors ) ) { … … 323 328 $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 324 329 325 if ( wp_login($user_login, $user_pass, $using_cookie) ) { 326 if ( !$using_cookie ) 327 wp_setcookie($user_login, $user_pass, false, '', '', $rememberme); 330 if ( wp_login($user_login, $user_pass) ) { 331 wp_set_auth_cookie($user->ID, $rememberme); 328 332 do_action('wp_login', $user_login); 329 333 wp_safe_redirect($redirect_to); 330 334 exit(); 331 } else {332 if ( $using_cookie )333 $errors['expiredsession'] = __('Your session has expired.');334 335 } 335 336 } -
trunk/wp-settings.php
r6325 r6387 187 187 188 188 if ( !defined('USER_COOKIE') ) 189 define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH);189 define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH); 190 190 if ( !defined('PASS_COOKIE') ) 191 define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH); 191 define('PASS_COOKIE', 'wordpresspass_' . COOKIEHASH); 192 if ( !defined('AUTH_COOKIE') ) 193 define('AUTH_COOKIE', 'wordpress_' . COOKIEHASH); 192 194 if ( !defined('TEST_COOKIE') ) 193 195 define('TEST_COOKIE', 'wordpress_test_cookie');
Note: See TracChangeset
for help on using the changeset viewer.