Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#17145 closed defect (bug) (fixed)

Entities in protected post passwords cause password mismatch

Reported by: dllh's profile dllh Owned by: dd32's profile dd32
Milestone: 3.3 Priority: normal
Severity: normal Version:
Component: Validation Keywords: has-patch
Focuses: Cc:



  1. Make a new post.
  2. Give it a password with quotes or other entities in it (e.g. "here'quote")
  3. With cookies cleared and as a non-admin user, supply the correct password to view the post.

Expected Result: Rainbows, unicorns, access to the secrets of life via the newly unlocked post.

Actual Result: The password doesn't match. This is because setcookie() automatically urlencodes the cookie value. So the sample password above winds up causing "here%27quote" to be compared to "here'quote" and there's a mismatch.

The attached patch corrects the issue. Another approach would be to limit input on the front end. The attached post is a simpler solution less constraining on the user.

Attachments (1)

core_17145.diff (606 bytes) - added by dllh 13 years ago.

Download all attachments as: .zip

Change History (5)

13 years ago

#1 @dllh
13 years ago

Sorry, a clarification. The urlencoded value seems to be unencoded when brought back in for comparison, but with magic_quotes_gpc enabled, the quote is escaped. The patch checks for magic quotes and strips slashes if needed.

#2 @solarissmoke
13 years ago

  • Keywords has-patch added

#3 @dd32
13 years ago

  • Milestone changed from Awaiting Review to 3.3
  • Owner set to dd32
  • Status changed from new to accepted

Rather late patch review..

get_magic_quotes_gpc() is not needed, as WordPress currently forcibly quotes them, in this case, $_COOKIE should always be stripslashed.

#4 @dd32
13 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In [18712]:

Allow Apostrophes in Post Passwords. $_POST and $_COOKIE are always slashed. Fixes #17145

Note: See TracTickets for help on using tickets.