Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#13654 closed defect (bug) (fixed)

Install should NOT use stripslashes on admin password

Reported by: johanee Owned by: dd32
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Upgrade/Install Keywords:
Focuses: Cc:


If you use ', ", \ in the administration password when doing a new install you will not be able to log in.

This is because the new 3.0 install uses stripslashes() on the administator password.

This would normally be the right thing to do, but unfortunately no other part of the WordPress password handling does so. Login tests against unescaped strings, new user creation and user edit uses the same.

This is unfortunate, but as all WordPress users ever created have \", \',
in their hashed passwords (depending on server configuration I guess) it is probably too painful to change.

Therefore wp-admin/install.php should be changed to not use stripslashes().

Attachments (1)

install-password-fix.patch (1.0 KB) - added by johanee 8 years ago.
Do not use stripslashes() on admin password when installing

Download all attachments as: .zip

Change History (4)

8 years ago

Do not use stripslashes() on admin password when installing

#1 @markjaquith
8 years ago

Good catch.

Your patch looks good for 3.0. For 3.1, we can put in migration code.

[5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.
[5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..
[5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?
[5/31/10 6:35:19 AM] Dion (dd32): yep

#2 @dd32
8 years ago

(In [15073]) Do not stripslashes() passwords during Install, Matches Login/Updating password handling. Props johanee. See #13654

#3 @dd32
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Created #13655 as a follow on task for 3.1

Note: See TracTickets for help on using tickets.