Admin login with correct password fails

[sergej.mueller]

1. Clean blog with current WP 3.6 Beta3

2. Blog install page: Set the admin password to

   Tea7"Kou>9Bia7@Cio(4
   

3. After blog setup: The login with same password fails - every time.

Fix
Test for magic_quotes_gpc helps us.

Tea7\"Kou>9Bia7@Cio(4 !== Tea7"Kou>9Bia7@Cio(4

See also the Openwall notice: The "Magic Quotes" issue
​http://www.openwall.com/articles/PHP-Users-Passwords

[ocean90]

Confirmed.

[ocean90]

Introduced by [23634]/#17018.

Attached patch adds wp_unslash() to wp_signon().

[SergeyBiryukov]

Somehow I missed that edit_user() actually sets the user's password from $_POST['pass1'], not just checks it.

Before [23634], we used to store a hash of the slashed password. We also passed the slashed password to check_passwords and user_profile_update_errors actions.

Now we store a hash of the unslashed password. We could add wp_unslash() to wp_signon(), as suggested in 24367.patch​ (24367.2.patch​ also removes an obsolete stripslashes() call from edit_user()). However, that would break passwords with slashes created prior to [23634].

Looks like we need to continue to use slashed passwords internally. 24367.3.patch​ is a partial revert of [23634]. It just fixes the password in the notification email, as originally suggested in #17018.

[nacin]

Yeah, we need to go back to storing a hash of the slashed password. Yes, this is stupid, and we ought to fix it, but right now let's handle the bug.

In 3.7, we can once again approach slashing with a scalpel, and actually offer a rolling upgrade to take slashed-password hashes and turn them into unslashed hashes (similar to what is done for md5 hashes). (I'm pretty sure authentication cookies are in a similar predicament.)

I'm fine with 24367.3.patch​. ryan?

[SergeyBiryukov]

#24521 was marked as a duplicate.

[ryan]

Bummer, but seems the sensible route for now.

[SergeyBiryukov]

In 24508:

Revert to storing a hash of the slashed password. fixes #24367. see #17018.

[sergej.mueller]

The bug is reproducible in WordPress 3.7 RC1 with the password phrase Tri0'Lou~6Fus9(Gig-1
#singlequote

[ocean90]

This ticket was closed on a completed milestone. Please open a new one if there's a problem.

[TobiasBg]

FWIW, I just tried the password Tri0'Lou~6Fus9(Gig-1 both by setting it for another user and by having a user change it for himself, but could not reproduce the problem. The log-in worked fine.

[SergeyBiryukov]

Follow-up: #26573

[Nao]

This issue doesn't seem to be fixed yet for backslash.

I tried using these passwords at install:

Test\
Tri0'Lou~6Fus9(Gig-\

I was able to finish install process with either one, but couldn't log in using the exact passwords.
Tested on 3.8.1 and 3.9-alpha-27111.

[SergeyBiryukov]

Replying to Nao:

This issue doesn't seem to be fixed yet for backslash.

See #27464.