WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#24367 closed defect (bug) (fixed)

Admin login with correct password fails

Reported by: sergej.mueller Owned by: SergeyBiryukov
Milestone: 3.6 Priority: high
Severity: blocker Version: 3.6
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

  1. Clean blog with current WP 3.6 Beta3
  1. Blog install page: Set the admin password to
    Tea7"Kou>9Bia7@Cio(4
    
  1. After blog setup: The login with same password fails - every time.

Fix
Test for magic_quotes_gpc helps us.

Tea7\"Kou>9Bia7@Cio(4 !== Tea7"Kou>9Bia7@Cio(4

See also the Openwall notice: The "Magic Quotes" issue
http://www.openwall.com/articles/PHP-Users-Passwords

Attachments (4)

pluggable.php.patch (470 bytes) - added by sergej.mueller 4 years ago.
24367.patch (523 bytes) - added by ocean90 4 years ago.
24367.2.patch (1.1 KB) - added by SergeyBiryukov 4 years ago.
24367.3.patch (1.4 KB) - added by SergeyBiryukov 4 years ago.

Download all attachments as: .zip

Change History (20)

#1 @ocean90
4 years ago

  • Priority changed from normal to high
  • Severity changed from critical to blocker

Confirmed.

#2 @ocean90
4 years ago

Introduced by [23634]/#17018.

Attached patch adds wp_unslash() to wp_signon().

@ocean90
4 years ago

#3 @SergeyBiryukov
4 years ago

  • Milestone changed from Awaiting Review to 3.6

Somehow I missed that edit_user() actually sets the user's password from $_POST['pass1'], not just checks it.

Before [23634], we used to store a hash of the slashed password. We also passed the slashed password to check_passwords and user_profile_update_errors actions.

Now we store a hash of the unslashed password. We could add wp_unslash() to wp_signon(), as suggested in 24367.patch (24367.2.patch also removes an obsolete stripslashes() call from edit_user()). However, that would break passwords with slashes created prior to [23634].

Looks like we need to continue to use slashed passwords internally. 24367.3.patch is a partial revert of [23634]. It just fixes the password in the notification email, as originally suggested in #17018.

#4 @nacin
4 years ago

Yeah, we need to go back to storing a hash of the slashed password. Yes, this is stupid, and we ought to fix it, but right now let's handle the bug.

In 3.7, we can once again approach slashing with a scalpel, and actually offer a rolling upgrade to take slashed-password hashes and turn them into unslashed hashes (similar to what is done for md5 hashes). (I'm pretty sure authentication cookies are in a similar predicament.)

I'm fine with 24367.3.patch. ryan?

#5 @SergeyBiryukov
4 years ago

#24521 was marked as a duplicate.

#6 @koke
4 years ago

  • Cc koke added

#7 @ryan
4 years ago

Bummer, but seems the sensible route for now.

#8 @SergeyBiryukov
4 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 24508:

Revert to storing a hash of the slashed password. fixes #24367. see #17018.

#9 @daniloercoli
4 years ago

  • Cc daniloercoli added

#10 @sergej.mueller
4 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

The bug is reproducible in WordPress 3.7 RC1 with the password phrase Tri0'Lou~6Fus9(Gig-1
#singlequote

#11 @ocean90
4 years ago

This ticket was closed on a completed milestone. Please open a new one if there's a problem.

#12 @ocean90
4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

#13 @TobiasBg
4 years ago

FWIW, I just tried the password Tri0'Lou~6Fus9(Gig-1 both by setting it for another user and by having a user change it for himself, but could not reproduce the problem. The log-in worked fine.

#15 follow-up: @Nao
4 years ago

This issue doesn't seem to be fixed yet for backslash.

I tried using these passwords at install:

Test\
Tri0'Lou~6Fus9(Gig-\

I was able to finish install process with either one, but couldn't log in using the exact passwords.
Tested on 3.8.1 and 3.9-alpha-27111.

#16 in reply to: ↑ 15 @SergeyBiryukov
4 years ago

Replying to Nao:

This issue doesn't seem to be fixed yet for backslash.

See #27464.

Note: See TracTickets for help on using tickets.