Make WordPress Core

Opened 14 years ago

Closed 14 years ago

#13654 closed defect (bug) (fixed)

Install should NOT use stripslashes on admin password

Reported by: johanee's profile johanee Owned by: dd32's profile dd32
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Upgrade/Install Keywords:
Focuses: Cc:


If you use ', ", \ in the administration password when doing a new install you will not be able to log in.

This is because the new 3.0 install uses stripslashes() on the administator password.

This would normally be the right thing to do, but unfortunately no other part of the WordPress password handling does so. Login tests against unescaped strings, new user creation and user edit uses the same.

This is unfortunate, but as all WordPress users ever created have \", \',
in their hashed passwords (depending on server configuration I guess) it is probably too painful to change.

Therefore wp-admin/install.php should be changed to not use stripslashes().

Attachments (1)

install-password-fix.patch (1.0 KB) - added by johanee 14 years ago.
Do not use stripslashes() on admin password when installing

Download all attachments as: .zip

Change History (4)

14 years ago

Do not use stripslashes() on admin password when installing

#1 @markjaquith
14 years ago

Good catch.

Your patch looks good for 3.0. For 3.1, we can put in migration code.

[5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.
[5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..
[5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?
[5/31/10 6:35:19 AM] Dion (dd32): yep

#2 @dd32
14 years ago

(In [15073]) Do not stripslashes() passwords during Install, Matches Login/Updating password handling. Props johanee. See #13654

#3 @dd32
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Created #13655 as a follow on task for 3.1

Note: See TracTickets for help on using tickets.