WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 7 years ago

#10453 closed defect (bug) (worksforme)

authentication errors from plugins sometimes get suppressed

Reported by: wnorris Owned by: ryan
Milestone: Priority: normal
Severity: normal Version: 2.8.1
Component: Security Keywords: reporter-feedback
Focuses: Cc:

Description

I've noticed that the new authentication code in WP 2.8 sometimes suppresses error messages from plugins which implement the 'authenticate' hook. This happens on wp-login.php when both the username and password fields are left empty.

The included patch does two things:

  • modifies wp_authenticate_username_password to maintain existing WP_Error object if present. Also changes how wp_signon clears out the 'empty_username' and 'empty_password' errors, to ensure that any others are maintained (this last part could be made cleaner if WP_Error exposed a remove method)
  • modifies the 'login_errors' and 'login_messages' filter calls in wp-login.php to pass the raw $wp_errors object as an optional second parameter

Attachments (2)

plugin-auth-fix.php (1.8 KB) - added by wnorris 11 years ago.
plugin-auth-fix.php.diff (1.8 KB) - added by miqrogroove 11 years ago.
renamed file by wnorris - for visibility

Download all attachments as: .zip

Change History (7)

#1 @wnorris
11 years ago

  • Component changed from Plugins to Security
  • Owner set to ryan

@miqrogroove
11 years ago

renamed file by wnorris - for visibility

#2 @miqrogroove
11 years ago

wnorris, I don't think you've quite made the case for this patch.

Also changes how wp_signon clears out the 'empty_username' and 'empty_password' errors, to ensure that any others are maintained

As I understand the existing code, WordPress does not clear out the empty_username and empty_password items if other errors are present. This is made fairly obvious by the patch's attempt to unset errors in the context of an authentication failure. If you think there's a sane way to do that, it needs to be explained and documented.

#3 @miqrogroove
11 years ago

  • Keywords reporter-feedback added; authentication login plugins has-patch removed

#4 @nacin
11 years ago

  • Milestone Unassigned deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Re-open with steps to reproduce.

#5 @willnorris
7 years ago

just leaving myself a note here that this is a duplicate of #19714

Note: See TracTickets for help on using tickets.