Opened 15 years ago
Closed 15 years ago
#13654 closed defect (bug) (fixed)
Install should NOT use stripslashes on admin password
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 3.0 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Upgrade/Install | Keywords: | |
Focuses: | Cc: |
Description
If you use ', ", \ in the administration password when doing a new install you will not be able to log in.
This is because the new 3.0 install uses stripslashes() on the administator password.
This would normally be the right thing to do, but unfortunately no other part of the WordPress password handling does so. Login tests against unescaped strings, new user creation and user edit uses the same.
This is unfortunate, but as all WordPress users ever created have \", \',
in their hashed passwords (depending on server configuration I guess) it is probably too painful to change.
Therefore wp-admin/install.php should be changed to not use stripslashes().
Attachments (1)
Change History (4)
#1
@
15 years ago
Good catch.
Your patch looks good for 3.0. For 3.1, we can put in migration code.
[5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.
[5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..
[5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?
[5/31/10 6:35:19 AM] Dion (dd32): yep
Do not use stripslashes() on admin password when installing