Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 10 years ago

#24367 closed defect (bug) (fixed)

Admin login with correct password fails

Reported by: sergejmueller's profile sergej.mueller Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 3.6 Priority: high
Severity: blocker Version: 3.6
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

  1. Clean blog with current WP 3.6 Beta3
  1. Blog install page: Set the admin password to
    Tea7"Kou>9Bia7@Cio(4
    
  1. After blog setup: The login with same password fails - every time.

Fix
Test for magic_quotes_gpc helps us.

Tea7\"Kou>9Bia7@Cio(4 !== Tea7"Kou>9Bia7@Cio(4

See also the Openwall notice: The "Magic Quotes" issue
http://www.openwall.com/articles/PHP-Users-Passwords

Attachments (4)

pluggable.php.patch (470 bytes) - added by sergej.mueller 11 years ago.
24367.patch (523 bytes) - added by ocean90 11 years ago.
24367.2.patch (1.1 KB) - added by SergeyBiryukov 11 years ago.
24367.3.patch (1.4 KB) - added by SergeyBiryukov 11 years ago.

Download all attachments as: .zip

Change History (20)

#1 @ocean90
11 years ago

  • Priority changed from normal to high
  • Severity changed from critical to blocker

Confirmed.

#2 @ocean90
11 years ago

Introduced by [23634]/#17018.

Attached patch adds wp_unslash() to wp_signon().

@ocean90
11 years ago

#3 @SergeyBiryukov
11 years ago

  • Milestone changed from Awaiting Review to 3.6

Somehow I missed that edit_user() actually sets the user's password from $_POST['pass1'], not just checks it.

Before [23634], we used to store a hash of the slashed password. We also passed the slashed password to check_passwords and user_profile_update_errors actions.

Now we store a hash of the unslashed password. We could add wp_unslash() to wp_signon(), as suggested in 24367.patch (24367.2.patch also removes an obsolete stripslashes() call from edit_user()). However, that would break passwords with slashes created prior to [23634].

Looks like we need to continue to use slashed passwords internally. 24367.3.patch is a partial revert of [23634]. It just fixes the password in the notification email, as originally suggested in #17018.

#4 @nacin
11 years ago

Yeah, we need to go back to storing a hash of the slashed password. Yes, this is stupid, and we ought to fix it, but right now let's handle the bug.

In 3.7, we can once again approach slashing with a scalpel, and actually offer a rolling upgrade to take slashed-password hashes and turn them into unslashed hashes (similar to what is done for md5 hashes). (I'm pretty sure authentication cookies are in a similar predicament.)

I'm fine with 24367.3.patch. ryan?

#5 @SergeyBiryukov
11 years ago

#24521 was marked as a duplicate.

#6 @koke
11 years ago

  • Cc koke added

#7 @ryan
11 years ago

Bummer, but seems the sensible route for now.

#8 @SergeyBiryukov
11 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 24508:

Revert to storing a hash of the slashed password. fixes #24367. see #17018.

#9 @daniloercoli
11 years ago

  • Cc daniloercoli added

#10 @sergej.mueller
11 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

The bug is reproducible in WordPress 3.7 RC1 with the password phrase Tri0'Lou~6Fus9(Gig-1
#singlequote

#11 @ocean90
11 years ago

This ticket was closed on a completed milestone. Please open a new one if there's a problem.

#12 @ocean90
11 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

#13 @TobiasBg
11 years ago

FWIW, I just tried the password Tri0'Lou~6Fus9(Gig-1 both by setting it for another user and by having a user change it for himself, but could not reproduce the problem. The log-in worked fine.

#15 follow-up: @Nao
10 years ago

This issue doesn't seem to be fixed yet for backslash.

I tried using these passwords at install:

Test\
Tri0'Lou~6Fus9(Gig-\

I was able to finish install process with either one, but couldn't log in using the exact passwords.
Tested on 3.8.1 and 3.9-alpha-27111.

#16 in reply to: ↑ 15 @SergeyBiryukov
10 years ago

Replying to Nao:

This issue doesn't seem to be fixed yet for backslash.

See #27464.

Note: See TracTickets for help on using tickets.