Make WordPress Core

Opened 4 years ago

Closed 2 years ago

Last modified 21 months ago

#17018 closed defect (bug) (fixed)

Password Email contains wrong Password

Reported by: hakre Owned by: SergeyBiryukov
Milestone: 3.6 Priority: normal
Severity: normal Version: 2.8
Component: Users Keywords: has-patch commit
Focuses: Cc:


On creating a new user and choosing the option to send the password to the new user by email, the email containing the password can contain a wrong password making it impossible for the new user to log in.

The cause of the problem is that the email contains the password slashed, e.g. " in the password will be written as \" in the email.

Attachments (4)

17018.patch (564 bytes) - added by hakre 4 years ago.
17018-make-them-work.patch (612 bytes) - added by hakre 4 years ago.
for those who want to adapt an existing installation working with passwords that have already been emailed to a larger user-base, this example code / patch might seem handy.
17018.1.patch (522 bytes) - added by kurtpayne 2 years ago.
Refresh for 3.5
17018.2.patch (1.7 KB) - added by SergeyBiryukov 2 years ago.

Download all attachments as: .zip

Change History (18)

comment:1 @hakre4 years ago

More information: The Email has the slash before the quote-char in it. I'll try to get a full copy of the email now with raw source.

Related: #8866 / [11292]

Update: Was able to, slash is in mail body.

Last edited 4 years ago by hakre (previous) (diff)

comment:2 @hakre4 years ago

Cause of the error is that the Password is to be expected to be pre-processed - the process to add is to add slashes.

$_POST is being addslashes()'ed in wp_magic_quotes() / wp-load.php of every request - that's for both important processes, the process of creating the new user, and for logging in with the new user.

The slashed password is used as source to create the password hash when adding a new user.

The email function wp_new_user_notification() will put the password as passed into the email that will be send out (slashes added).

The password with slashes added will be taken out of the email by the new user.

The user will then add the already slashed password into the login form.

The $_POST data from the login will be slashed again because wordpress slashes all input (Related: #5791).

The password will now be double-slash-added. The double-slashed password will be taken then to create the hash that is compared against the stored password hash.

This fails as the stored password hash has been build not from the double-slashed but from the one-time-addslashed version.

To obtain the requsted plaintext password in it's raw form that is going to be processed in the login form, stripslashes() needs to be applied first before sending it out per email.

Don't expect that the password users recieve is actually the plain used to generate the hash with wordpress. It's simple if you know how ;)

Last edited 4 years ago by hakre (previous) (diff)

comment:3 @hakre4 years ago

  • Keywords has-patch added

@hakre4 years ago


@hakre4 years ago

for those who want to adapt an existing installation working with passwords that have already been emailed to a larger user-base, this example code / patch might seem handy.

comment:4 @hakre4 years ago

  • Keywords dev-feedback added

Are those types of bugs to be expected fixed in next minor?

comment:5 @hakre4 years ago

It's a simple fix, can we get some traction on this? I've run over it again, it especially happens if you use strong passwords with special chars in there. (Patch should still apply clean).

Last edited 4 years ago by hakre (previous) (diff)

@kurtpayne2 years ago

Refresh for 3.5

comment:6 @kurtpayne2 years ago

  • Cc kurtpayne added
  • Component changed from Administration to Users
  • Keywords 3.6-early added
  • Version changed from 3.0.5 to 2.8

Bug confirmed. Setting a password of pass"word' results in a notification of pass\"word\' but the actual login is unaffected.

Patch 17018.patch confirmed, but needed refreshing. Patch 17018.1.patch submitted for 3.5.

comment:7 @hakre2 years ago

#23488 was marked as a duplicate.

comment:8 @SergeyBiryukov2 years ago

  • Milestone changed from Awaiting Review to 3.6

Appears to be fixed in [23416].

Per ticket:23488:4, let's leave the ticket open until the changes are settled.

comment:9 @hakre2 years ago

This should also be fixed in 3.5. Otherwise we're standing on our own feet educating users using strong passwords if they find out that it does not work :/.

@SergeyBiryukov2 years ago

comment:10 @SergeyBiryukov2 years ago

  • Keywords commit added; dev-feedback 3.6-early removed

Refreshed after [23563].

comment:11 @ryan2 years ago

Looks good.

comment:12 @SergeyBiryukov2 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 23634:

When adding a new user in the admin, strip slashes from the password sent to the user by email. props hakre for initial patch. fixes #17018.

comment:13 @SergeyBiryukov21 months ago

#24640 was marked as a duplicate.

comment:14 @SergeyBiryukov21 months ago

In 24508:

Revert to storing a hash of the slashed password. fixes #24367. see #17018.

Note: See TracTickets for help on using tickets.